{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32356", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:10:47.069Z", "datePublished": "2026-03-13T11:42:00.938Z", "dateUpdated": "2026-04-29T09:51:57.730Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "robo-gallery", "product": "Robo Gallery", "vendor": "robosoft", "versions": [{"changes": [{"at": "5.1.3", "status": "unaffected"}], "lessThanOrEqual": "5.1.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:40.757Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robosoft Robo Gallery robo-gallery allows DOM-Based XSS.<p>This issue affects Robo Gallery: from n/a through <= 5.1.2.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robosoft Robo Gallery robo-gallery allows DOM-Based XSS.This issue affects Robo Gallery: from n/a through <= 5.1.2."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.730Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/robo-gallery/vulnerability/wordpress-robo-gallery-plugin-5-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Robo Gallery plugin <= 5.1.2 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32356", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T19:19:27.338041Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:23:48.414Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32356", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T19:19:27.338041Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:19:27.956Z"}}], "cna": {"title": "WordPress Robo Gallery plugin <= 5.1.2 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "robosoft", "product": "Robo Gallery", "versions": [{"status": "affected", "changes": [{"at": "5.1.3", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.1.2"}], "packageName": "robo-gallery", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:40.757Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/robo-gallery/vulnerability/wordpress-robo-gallery-plugin-5-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robosoft Robo Gallery robo-gallery allows DOM-Based XSS.This issue affects Robo Gallery: from n/a through <= 5.1.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robosoft Robo Gallery robo-gallery allows DOM-Based XSS.<p>This issue affects Robo Gallery: from n/a through <= 5.1.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.730Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32356", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:51:57.730Z", "dateReserved": "2026-03-12T11:10:47.069Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:00.938Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robosoft Robo Gallery robo-gallery allows DOM-Based XSS.This issue affects Robo Gallery: from n/a through <= 5.1.2."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en robosoft Robo Gallery robo-gallery permite XSS basado en DOM. Este problema afecta a Robo Gallery: desde n/a hasta &lt;= 5.1.2."}], "id": "CVE-2026-32356", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:47.870", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/robo-gallery/vulnerability/wordpress-robo-gallery-plugin-5-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.2]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.1.3,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Robo Gallery", "source": "cna", "vendor": "robosoft"}, "product": "robo_gallery", "vendor": "robosoft"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:49:58.419992+00:00", "value": {"mitigation_remediation": ["Update Robo Gallery plugin to the latest version (\u2265\u00a05.1.3)."], "summary": {"action": "Patch", "impact": "DOM-based Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the robosoft Robo Gallery WordPress plugin, from the earliest releases through version 5.1.2, are potentially vulnerable. Users running any version less than or equal to 5.1.2 are affected. The vendor is Robosoft and the product is the Robo Gallery plugin.", "description_and_impact": "The Robo Gallery plugin contains a DOM\u2011based Cross\u2011Site Scripting (XSS) flaw. The plugin fails to neutralize user input during page generation, allowing an attacker to inject malicious JavaScript that executes in the victim\u2019s browser. This flaw can be used to steal credentials, hijack sessions, or perform arbitrary actions within the user\u2019s session, representing a classic CWE\u201179 weakness.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. The EPSS score is reported as less than 1\u2009%, suggesting a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can craft a malicious URL or input that is rendered into the DOM, and when a victim visits the link or submits the input, the injected script runs without additional privileges."}}}}, "created": "2026-03-16T09:34:50.938184+00:00", "updated": "2026-03-23T09:59:00.723657+00:00", "vendors": ["robosoft", "robosoft$PRODUCT$robo_gallery", "wordpress", "wordpress$PRODUCT$wordpress"]}