Security Alert Summary
The Tiled Gallery Carousel Without JetPack plugin for WordPress contains a stored cross-site scripting vulnerability in the data-image-title parameter that can be abused by authenticated users with contributor-level access or higher to inject scripts that run when an injected page is viewed.
CVE Details
- CVE ID: CVE-2026-5191
- Affected component: Tiled Gallery Carousel Without JetPack plugin for WordPress
- Affected versions: All versions up to and including 3.1
- Published: June 2, 2026 at 10:16:25 AM UTC
- Last modified: June 2, 2026 at 1:03:31 PM UTC
- CVSS v3.1: Base Score 5.4 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Authentication / Privileges / User interaction: Requires an authenticated user; privileges required: Low (contributor-level access or above); user interaction required.
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- Weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation)
Technical Details
The vulnerability is a stored cross-site scripting (XSS) issue caused by insufficient input sanitization and output escaping of the data-image-title parameter. Authenticated users with contributor-level access or higher can supply malicious content that is stored and later rendered on pages. When a user views a page containing the injected payload, the malicious script executes in the context of that page. The issue is reflected in the plugin code referenced in jetpack-carousel.js (see References).
The impact is limited to what an executed script can do in the page context, consistent with the CVSS impact ratings of low confidentiality and integrity impacts and no availability impact. The vulnerability does not, based on the provided information, imply any automatic remote code execution beyond script execution in the browser context of affected pages.
How This Could Impact Your Website
In a realistic scenario, a contractor or contributor who can upload or edit gallery items could add a crafted data-image-title value that stores a script. When an internal staff member or site owner opens the gallery page in the admin interface or on the public site, that script may run in their browser. Practical consequences include exposure of information visible to the browser session (for example, user-displayed data or elements accessible via DOM), and an increased risk of targeted phishing or social engineering using information gleaned from user accounts.
For example, an editor viewing an injected gallery page could have their session data or visible account information accessed by the script, or an attacker could use displayed names and email addresses to craft convincing phishing messages to staff. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and themes.
- Monitor site activity and logs for unusual behavior or unexpected content changes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
