{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1236", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-20T16:37:15.337Z", "datePublished": "2026-03-04T08:23:56.092Z", "dateUpdated": "2026-04-08T17:18:43.927Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:43.927Z"}, "affected": [{"vendor": "smub", "product": "Envira Gallery \u2013 Image Photo Gallery, Albums, Video Gallery, Slideshows & More", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.12.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Envira Gallery for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'justified_gallery_theme' parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Envira Gallery for WordPress <= 1.12.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'justified_gallery_theme' Parameter via REST API", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc552d46-79ca-4540-8620-5a031238cd62?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/global/shortcode.php#L302"}, {"url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/tags/1.12.3/includes/global/shortcode.php#L302"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3465371%40envira-gallery-lite&old=3444965%40envira-gallery-lite&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}], "timeline": [{"time": "2026-01-20T16:56:31.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-03T20:19:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T21:27:45.608394Z", "id": "CVE-2026-1236", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T21:28:05.766Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1236", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T21:27:45.608394Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T21:27:54.390Z"}}], "cna": {"title": "Envira Gallery for WordPress <= 1.12.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'justified_gallery_theme' Parameter via REST API", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "smub", "product": "Envira Gallery \u2013 Image Photo Gallery, Albums, Video Gallery, Slideshows & More", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.12.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-20T16:56:31.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-03T20:19:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc552d46-79ca-4540-8620-5a031238cd62?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/global/shortcode.php#L302"}, {"url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/tags/1.12.3/includes/global/shortcode.php#L302"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3465371%40envira-gallery-lite&old=3444965%40envira-gallery-lite&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Envira Gallery for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'justified_gallery_theme' parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:43.927Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1236", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:43.927Z", "dateReserved": "2026-01-20T16:37:15.337Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-04T08:23:56.092Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Envira Gallery for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'justified_gallery_theme' parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Envira Gallery para WordPress para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'justified_gallery_theme' en todas las versiones hasta, e incluyendo, 1.12.3 debido a una sanitizaci\u00f3n de entrada y escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de Autor y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1236", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-04T09:15:55.293", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/tags/1.12.3/includes/global/shortcode.php#L302"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/global/shortcode.php#L302"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3465371%40envira-gallery-lite&old=3444965%40envira-gallery-lite&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc552d46-79ca-4540-8620-5a031238cd62?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.12.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Envira Gallery \u2013 Image Photo Gallery, Albums, Video Gallery, Slideshows & More", "source": "cna", "vendor": "smub"}, "product": "photo_gallery", "vendor": "enviragallery"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:04:23.069584+00:00", "value": {"mitigation_remediation": ["Update the Envira Gallery plugin to the latest version (>=1.12.4) which removes the insecure handling of the \"justified_gallery_theme\" parameter.", "After updating, delete or disable any galleries that have been configured by users to ensure that no malicious content remains stored in the database.", "Implement a Content Security Policy or use a security plugin to block inline script execution, reducing risk until the plugin is fully patched."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected software is the Envira Gallery plugin for WordPress, produced by smub. All releases up to and including version 1.12.3 are vulnerable. WordPress sites running any of these plugin versions are at risk.", "description_and_impact": "The vulnerability allows an authenticated user with Author or higher privileges to inject arbitrary JavaScript into the \"justified_gallery_theme\" parameter of the plugin. Because the input is not sanitized and output is not escaped, the script is stored and executed whenever a page containing the gallery is viewed. This can lead to theft of cookies, session hijacking, defacement, or broader compromise of other visitors\u2019 browsers. The weakness is a classic stored cross\u2011site scripting flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1% suggests a very low exploitation probability, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to be an authenticated Author or higher on the affected WordPress site; they must submit a gallery configuration that includes a malicious \"justified_gallery_theme\" value, which is then stored in the database and rendered in subsequent page loads. The attack vector is local to the web application but can have remote effects on unauthenticated visitors who view the injected content."}}}}, "created": "2026-03-04T21:03:54.291671+00:00", "updated": "2026-04-15T20:15:13.706149+00:00", "vendors": ["enviragallery", "enviragallery$PRODUCT$photo_gallery", "wordpress", "wordpress$PRODUCT$wordpress"]}