CVE-2026-4766

Product/Component: Easy Image Gallery WordPress plugin. Vulnerability: Stored Cross-Site Scripting via Gallery shortcode post meta, affecting all versions up to 1.5.3. Root cause: Insufficient input sanitization and output escaping on user-supplied gallery shortcode values. Impact: Authenticated ...

CVE-2026-4766 Easy Image Gallery <= 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Shortcode Post Meta

The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery shortcode post meta field in all versions up to, and including, 1.5.3. This is due to insufficient input sanitization and output escaping on user-supplied gallery shortcode values. This makes ...

CVE-2026-4766

The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery shortcode post meta field in all versions up to, and including, 1.5.3. This is due to insufficient input sanitization and output escaping on user-supplied gallery shortcode values. This makes ...

CVE-2026-4766 Easy Image Gallery <= 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Shortcode Post Meta

The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery shortcode post meta field in all versions up to, and including, 1.5.3. This is due to insufficient input sanitization and output escaping on user-supplied gallery shortcode values. This makes ...

EUVD-2026-15181

The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery shortcode post meta field in all versions up to, and including, 1.5.3. This is due to insufficient input sanitization and output escaping on user-supplied gallery shortcode values. This makes ...

PT-2026-27635

Name of the Vulnerable Software and Affected Versions Easy Image Gallery versions prior to 1.5.4 Description The Easy Image Gallery plugin for WordPress is susceptible to Stored Cross-Site Scripting through the Gallery shortcode post meta field. Insufficient input sanitization and output escaping...

WordPress Task Manager plugin <= 3.0.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'task_id' Parameter vulnerability

Authenticated Subscriber+ Arbitrary Shortcode Execution via 'taskid' Parameter vulnerability discovered by theviper17y in WordPress Plugin Task Manager versions = 3.0.2...

WordPress ARForms plugin <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution vulnerability

Unauthenticated Blind Arbitrary Shortcode Execution vulnerability discovered by Krzysztof Zając - CERT PL in WordPress Plugin ARForms Form Builder versions = 1.7.2...

CVE-2026-4283

The WP DSGVO Tools GDPR plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the super-unsubscribe AJAX action accepting a processnow parameter from unauthenticated users, which bypasses the intended email-confirmation...

WordPress WPFAQBlock- FAQ & Accordion Plugin For Gutenberg plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability discovered by theviper17y in WordPress Plugin WPFAQBlock versions = 1.1...

WordPress Schema Shortcode plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Schema Shortcode versions = 1.0...

WordPress iVysilani Shortcode plugin <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'width' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'width' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin iVysilani Shortcode versions = 3.0...

WordPress WP NG Weather plugin <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP NG Weather versions = 1.0.9...

WordPress Tour & Activity Operator Plugin for TourCMS plugin <= 1.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Tour & Activity Operator Plugin for TourCMS versions = 1.7.0...

WordPress Easy Image Gallery plugin <= 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery SHORTCODE Post Meta vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Gallery SHORTCODE Post Meta vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Easy Image Gallery versions = 1.5.3...

WordPress Ed's Font Awesome plugin <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by zakaria in WordPress Plugin Ed's Font Awesome versions = 2.0...

WordPress Ed's Social Share plugin <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by zakaria in WordPress Plugin Ed's Social Share versions = 2.0...

WordPress MinhNhut Link Gateway plugin <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by san6051 - PWC in WordPress Plugin MinhNhut Link Gateway versions = 3.6.1...

WordPress FuseDesk plugin <= 6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'emailtext' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'emailtext' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin FuseDesk versions = 6.8...

WordPress Any Post Slider plugin <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_type' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'posttype' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin Any Post Slider versions = 1.0.4...