CVE-2026-1236 in Envira Gallery Plugin
Summary
by MITRE • 03/04/2026
The Envira Gallery for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'justified_gallery_theme' parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/05/2026
The CVE-2026-1236 vulnerability resides within the Envira Gallery for WordPress plugin, specifically affecting versions through 1.12.3. This stored cross-site scripting flaw represents a critical security weakness that exploits insufficient input sanitization and output escaping mechanisms within the plugin's codebase. The vulnerability manifests through the 'justified_gallery_theme' parameter, which fails to properly validate or sanitize user-supplied input before processing and storing it within the WordPress database. Attackers with Author-level privileges or higher can leverage this weakness to inject malicious scripts that persist in the system and execute whenever affected pages are accessed by other users.
The technical exploitation of this vulnerability follows a classic stored XSS attack pattern where malicious input is first accepted and stored by the application's backend processes, then served back to unsuspecting users during normal page rendering operations. The 'justified_gallery_theme' parameter specifically lacks proper input validation and sanitization measures, allowing attackers to inject HTML or JavaScript payloads that are subsequently executed in the context of the victim's browser. This creates a persistent threat vector where the malicious code becomes part of the legitimate website content, making detection more challenging and potentially enabling further attacks such as session hijacking, credential theft, or redirection to malicious sites.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a foothold for more sophisticated attacks within the WordPress environment. Authorized users with Author-level access or higher can exploit this weakness to compromise other users' sessions, potentially gaining access to sensitive content, modifying gallery configurations, or injecting additional malicious payloads. The stored nature of this vulnerability means that the injected scripts remain active until manually removed from the database, creating a persistent threat that can affect any user who views pages containing the malicious content. This vulnerability directly maps to CWE-79, which describes Cross-Site Scripting flaws, and aligns with ATT&CK technique T1566.001 for Initial Access through Spearphishing Attachments, as attackers could potentially use this vulnerability to establish a persistent presence on compromised WordPress installations.
Mitigation strategies for CVE-2026-1236 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Organizations should implement strict input validation and sanitization measures for all user-supplied parameters, particularly those used in content management systems. Security teams should conduct thorough code reviews to identify similar vulnerabilities in other plugins or custom code, implementing proper output escaping mechanisms for all dynamic content. Additionally, network monitoring should be enhanced to detect unusual script injection patterns, and user access controls should be reviewed to minimize the number of users with Author-level privileges or higher. Regular security audits and vulnerability assessments should be conducted to identify and remediate similar weaknesses in WordPress installations, with particular attention to plugins that handle user-generated content or configuration parameters that can be manipulated through the web interface.