Stored Cross-Site Scripting in SimpLy Gallery Block & Lightbox Plugin for WordPress
CVE-2026-5743
6.4MEDIUM
What is CVE-2026-5743?
The SimpLy Gallery Block & Lightbox plugin for WordPress is affected by a Stored Cross-Site Scripting vulnerability that allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts via insufficiently sanitized block attributes. The vulnerability arises from a flaw in the input sanitization process of the sliderMaxHeight block attribute in the pgc_sgb_render_callback() function. Due to a poorly constructed regex pattern, the sanitization function fails to filter out unquoted event handlers, enabling adversaries to execute malicious scripts when a user accesses an affected page.
Affected Version(s)
SimpLy Gallery 0 <= 3.3.3.1