CVE-2026-1302
Stored XSS in Meta-box GalleryMeta Plugin Affects WordPress Multisite
Publication date: 2026-01-24
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpressthemes | meta-box-gallerymeta | to 3.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1302 is a Stored Cross-Site Scripting (XSS) vulnerability in the Meta-box GalleryMeta WordPress plugin (up to version 3.0.1). It occurs because the plugin does not properly sanitize or escape certain inputs, specifically the YouTube URL and post excerpts used in the gallery display. Authenticated users with editor-level permissions or higher can inject malicious scripts via the admin settings. These scripts then execute whenever a user views the affected gallery page, potentially compromising site security. This vulnerability affects multi-site WordPress installations or those where unfiltered_html is disabled. [2]
How can this vulnerability impact me? :
This vulnerability can allow attackers with editor-level access to inject malicious scripts into gallery pages. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, data theft, or other malicious actions. Since the vulnerability is stored, the malicious code persists and affects all users who access the infected pages, increasing the risk and impact of the attack. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if the Meta-box GalleryMeta plugin version 3.0.1 or earlier is installed on a WordPress multi-site installation with unfiltered_html disabled. You can inspect posts for malicious scripts injected via the 'mbgm_youtube_url' post meta or post excerpts. Commands to detect suspicious content include using WP-CLI to list posts with suspicious meta values, for example: `wp post meta get <post_id> mbgm_youtube_url` to review YouTube URLs for injected scripts, and `wp post list --post_type=gallery --format=ids` to enumerate gallery posts. Additionally, scanning the database for script tags or suspicious iframe sources in post excerpts can help detect exploitation. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Meta-box GalleryMeta plugin to a version that fixes the vulnerability (if available), or disabling the plugin if an update is not yet released. Restrict editor-level and higher permissions to trusted users only, especially on multi-site installations with unfiltered_html disabled. Additionally, review and sanitize existing 'mbgm_youtube_url' post meta and post excerpts to remove any injected scripts. Applying Web Application Firewall (WAF) rules to block malicious payloads targeting this plugin can also help reduce risk. [2]