CVE-2026-57695 in Document Gallery Plugininfo

Summary

by MITRE • 07/13/2026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dan Rossiter Document Gallery document-gallery allows Reflected XSS.This issue affects Document Gallery: from n/a through <= 5.1.0.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/13/2026

This cross-site scripting vulnerability stems from inadequate input sanitization within the document-gallery plugin, specifically affecting versions up to and including 5.1.0. The flaw manifests when user-supplied data is directly incorporated into web page generation without proper neutralization, creating an avenue for malicious script injection. The vulnerability operates through reflected XSS techniques where attacker-controlled payloads are embedded in URL parameters or form inputs and subsequently executed within the victim's browser context.

The technical implementation of this vulnerability involves the plugin's failure to properly escape or filter user input before rendering it in HTML output contexts. When users interact with the document gallery interface, particularly through navigation parameters or search functions, malicious code can be injected and subsequently reflected back to the user's browser. This creates a persistent vector for executing arbitrary JavaScript code within the context of the affected website.

The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. Attackers can leverage this flaw to steal cookies, modify page content, redirect users to malicious sites, or even perform actions on behalf of authenticated users. The reflected nature of the vulnerability means that exploitation requires user interaction with a crafted link, making it particularly dangerous in phishing campaigns where social engineering can be combined with technical exploitation.

This vulnerability aligns with CWE-79 which defines Cross-Site Scripting as a weakness where untrusted data is incorporated into web pages without proper validation or escaping. The ATT&CK framework categorizes this under T1059.008 for command and scripting interpreter using PowerShell or similar tools, though the actual exploitation would occur through browser-based payloads. The vulnerability represents a significant risk to WordPress installations as it can be exploited through simple URL manipulation without requiring authentication.

Mitigation strategies should prioritize immediate plugin updates to versions that address this XSS flaw, as the vendor has likely released patches to resolve the input sanitization issues. Additionally, implementing proper content security policies, deploying web application firewalls, and conducting regular security audits can provide additional layers of protection. Input validation and output encoding should be enforced at multiple points within the application's data flow to prevent similar vulnerabilities from persisting in future versions.

Responsible

Patchstack

Reservation

06/25/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00184

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!