WordPress Security Bulletin: Easy Image Gallery Plugin Vulnerability (CVE-2026-4766)

Security Alert Summary

The Easy Image Gallery plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the gallery shortcode post meta field. Authenticated users with Contributor-level access and above can supply gallery shortcode values that are not properly sanitized or escaped, allowing injected scripts to execute when an affected page is viewed.

CVE Details

• CVE ID: CVE-2026-4766
• Affected component: Easy Image Gallery plugin for WordPress
• Affected versions: All versions up to, and including, 1.5.3
• Published: March 25, 2026 at 2:16:06 AM
• Last modified: March 25, 2026 at 3:41:33 PM
• CVSS v3.1: Base Score 6.4, MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
• Authentication / privileges / user interaction: Requires an authenticated user. Privileges required: LOW (Contributor-level access and above). User interaction: NONE.
• Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
• Weakness (CWE): CWE-79 (Improper Neutralization of Input During Web Page Generation)

Technical Details

This issue is a Stored Cross-Site Scripting (XSS) vulnerability arising from insufficient input sanitization and output escaping of user-supplied gallery shortcode values stored in the Gallery shortcode post meta field. Because the plugin accepts and saves gallery shortcode values supplied by authenticated users and later outputs those values into pages without adequate escaping, an attacker with the required privileges can inject arbitrary JavaScript into a post or page.

Injected scripts will execute whenever an affected page is viewed, in the context of that site and the viewing user. The vulnerability exists specifically in the handling of the gallery shortcode values and the associated post meta field where user input is not properly neutralized before output.

How This Could Impact Your Website

Consider a typical small business site where multiple people contribute content: a site owner, internal staff who publish posts, and external contractors or contributors. A contributor who can edit or create gallery shortcodes could store a crafted shortcode that contains JavaScript. When another user (for example, an editor or site administrator) views the page, the injected script runs in their browser. Practical consequences include exposure of data available to the viewer in the browser context, and the increased risk of targeted phishing or social engineering if attacker-controlled scripts collect or display user-specific information.

The impact aligns with the CVSS assessment: confidentiality and integrity impacts are possible but limited in scope (LOW), and availability is not affected. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially Contributors and other roles with edit or publish capabilities.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins.
• Monitor site activity and logs for unusual behavior related to post meta or shortcode changes.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/browser/easy-image-gallery/tags/1.5.3/includes/template-functions.php#L240
• https://plugins.trac.wordpress.org/browser/easy-image-gallery/trunk/includes/template-functions.php#L240
• https://www.wordfence.com/threat-intel/vulnerabilities/id/e7279f74-c2bd-4601-b8d5-0effe43705a5?source=cve