{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4300", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-16T19:53:16.672Z", "datePublished": "2026-04-08T09:25:50.003Z", "dateUpdated": "2026-04-08T17:26:49.967Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:49.967Z"}, "affected": [{"vendor": "robosoft", "product": "Robo Gallery \u2013 Photo & Image Slider", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading Label' setting in all versions up to, and including, 5.1.3. The plugin uses a custom `|***...***|` marker pattern in its `fixJsFunction()` method to embed raw JavaScript function references within JSON-encoded configuration objects. When a gallery's options are rendered on the frontend, `json_encode()` wraps all string values in double quotes. The `fixJsFunction()` method then strips the `\"|***` and `***|\"` sequences, effectively converting a JSON string value into raw JavaScript code. The Loading Label field (stored as `rbs_gallery_LoadingWord` post_meta) is an `rbstext` type field that is sanitized with `sanitize_text_field()` on save. While this strips HTML tags, it does not strip the `|***...***|` markers since they contain no HTML. When a user inputs `|***alert(document.domain)***|`, the value passes through sanitization intact, is stored in post_meta, and is later retrieved and output within an inline `<script>` tag via `renderMainBlock()` with the quote markers stripped \u2014 resulting in arbitrary JavaScript execution. The gallery post type uses `capability_type => 'post'`, allowing Author-level users to create galleries. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the gallery shortcode."}], "title": "Robo Gallery <= 5.1.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'Loading Label' Setting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8693b7d-693f-450a-89ef-e936a8813ca9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/class/jsoptions.php#L97"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/class/jsoptions.php#L97"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/base-grid/layout.v1.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/base-grid/layout.v1.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/base-grid/layout.v1.php#L52"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/base-grid/layout.v1.php#L52"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/base-grid/grid/grid.v1.php#L89"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/base-grid/grid/grid.v1.php#L89"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/class/jsoptions.php#L87"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/class/jsoptions.php#L87"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/options/rbs_gallery_options_loading.php#L95"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/options/rbs_gallery_options_loading.php#L95"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3488182%40robo-gallery&new=3488182%40robo-gallery&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-03-17T07:47:22.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T21:02:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:17:41.302256Z", "id": "CVE-2026-4300", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:17:57.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4300", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:17:41.302256Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:17:52.726Z"}}], "cna": {"title": "Robo Gallery <= 5.1.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'Loading Label' Setting", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "robosoft", "product": "Robo Gallery \u2013 Photo & Image Slider", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-17T07:47:22.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T21:02:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8693b7d-693f-450a-89ef-e936a8813ca9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/class/jsoptions.php#L97"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/class/jsoptions.php#L97"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/base-grid/layout.v1.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/base-grid/layout.v1.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/base-grid/layout.v1.php#L52"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/base-grid/layout.v1.php#L52"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/base-grid/grid/grid.v1.php#L89"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/base-grid/grid/grid.v1.php#L89"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/class/jsoptions.php#L87"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/class/jsoptions.php#L87"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/options/rbs_gallery_options_loading.php#L95"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/options/rbs_gallery_options_loading.php#L95"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3488182%40robo-gallery&new=3488182%40robo-gallery&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading Label' setting in all versions up to, and including, 5.1.3. The plugin uses a custom `|***...***|` marker pattern in its `fixJsFunction()` method to embed raw JavaScript function references within JSON-encoded configuration objects. When a gallery's options are rendered on the frontend, `json_encode()` wraps all string values in double quotes. The `fixJsFunction()` method then strips the `\"|***` and `***|\"` sequences, effectively converting a JSON string value into raw JavaScript code. The Loading Label field (stored as `rbs_gallery_LoadingWord` post_meta) is an `rbstext` type field that is sanitized with `sanitize_text_field()` on save. While this strips HTML tags, it does not strip the `|***...***|` markers since they contain no HTML. When a user inputs `|***alert(document.domain)***|`, the value passes through sanitization intact, is stored in post_meta, and is later retrieved and output within an inline `<script>` tag via `renderMainBlock()` with the quote markers stripped \u2014 resulting in arbitrary JavaScript execution. The gallery post type uses `capability_type => 'post'`, allowing Author-level users to create galleries. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the gallery shortcode."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:49.967Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4300", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:26:49.967Z", "dateReserved": "2026-03-16T19:53:16.672Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T09:25:50.003Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading Label' setting in all versions up to, and including, 5.1.3. The plugin uses a custom `|***...***|` marker pattern in its `fixJsFunction()` method to embed raw JavaScript function references within JSON-encoded configuration objects. When a gallery's options are rendered on the frontend, `json_encode()` wraps all string values in double quotes. The `fixJsFunction()` method then strips the `\"|***` and `***|\"` sequences, effectively converting a JSON string value into raw JavaScript code. The Loading Label field (stored as `rbs_gallery_LoadingWord` post_meta) is an `rbstext` type field that is sanitized with `sanitize_text_field()` on save. While this strips HTML tags, it does not strip the `|***...***|` markers since they contain no HTML. When a user inputs `|***alert(document.domain)***|`, the value passes through sanitization intact, is stored in post_meta, and is later retrieved and output within an inline `<script>` tag via `renderMainBlock()` with the quote markers stripped \u2014 resulting in arbitrary JavaScript execution. The gallery post type uses `capability_type => 'post'`, allowing Author-level users to create galleries. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the gallery shortcode."}], "id": "CVE-2026-4300", "lastModified": "2026-04-24T18:05:09.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T10:16:01.953", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/base-grid/grid/grid.v1.php#L89"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/base-grid/layout.v1.php#L101"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/base-grid/layout.v1.php#L52"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/class/jsoptions.php#L87"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/class/jsoptions.php#L97"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/options/rbs_gallery_options_loading.php#L95"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/base-grid/grid/grid.v1.php#L89"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/base-grid/layout.v1.php#L101"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/base-grid/layout.v1.php#L52"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/class/jsoptions.php#L87"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/class/jsoptions.php#L97"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/options/rbs_gallery_options_loading.php#L95"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3488182%40robo-gallery&new=3488182%40robo-gallery&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8693b7d-693f-450a-89ef-e936a8813ca9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.1.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Robo Gallery \u2013 Photo & Image Slider", "source": "cna", "vendor": "robosoft"}, "product": "robo_gallery_\u2013_photo_&_image_slider", "vendor": "robosoft"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:40:01.404966+00:00", "value": {"mitigation_remediation": ["Upgrade Robo Gallery to version 5.1.4 or later", "If an upgrade is not possible, disable or remove the 'Loading Label' option from gallery settings to block script injection", "Delete or sanitize any existing gallery posts that contain malicious markers", "Consider limiting or revoking Author permissions if not needed for content creation"], "summary": {"action": "Immediate Patch", "impact": "Stored XSS via authenticated 'Loading Label' setting"}, "threat_synthesis": {"affected_systems": "WordPress sites installing Robo Gallery \u2013 Photo & Image Slider version 5.1.3 or earlier. The vulnerability is triggered by users with Author-level or higher capabilities, who can create or edit gallery posts.", "description_and_impact": "The plugin processes a custom marker in JSON configuration that is later stripped during rendering, allowing a stored script to run inside an inline <script> tag on any page that displays the gallery. An attacker can thus inject JavaScript that executes in the browsers of all visitors to those pages, enabling session theft, defacement, or other malicious actions.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires only authenticated access with Author privileges; no privilege escalation or additional conditions are needed. The impact is limited to pages containing the gallery, but the script runs in any visitor\u2019s browser and can affect all users who view the gallery."}}}}, "created": "2026-04-08T19:27:16.116531+00:00", "updated": "2026-04-08T19:39:53.560162+00:00", "vendors": ["robosoft", "robosoft$PRODUCT$robo_gallery_\u2013_photo_&_image_slider", "wordpress", "wordpress$PRODUCT$wordpress"]}