PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-5361 Plugins CVE debrief

CVE-2026-5361 describes a stored cross-site scripting weakness in Envira Gallery Lite for WordPress affecting versions up to and including 1.12.4. The issue is tied to REST API handling and unsafe output in inline JavaScript, allowing authenticated users with Author-level access and above to store script content that can run when an injected page is later viewed.

Vendor
Plugins
Product
Unknown
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-14
Advisory published
2026-05-14
Advisory updated
2026-05-14

Who should care

WordPress site owners, administrators, managed hosting teams, and security responders running Envira Gallery Lite 1.12.4 or earlier should review this immediately. Any environment that allows Author-level accounts or similar privileged content editors is especially relevant.

Technical summary

According to the advisory, update_gallery_data() does not fully sanitize gallery configuration input. sanitize_config_values() only sanitizes the justified_gallery_theme and justified_row_height parameters, leaving arrows unsanitized. That value is later emitted by gallery_init() into inline JavaScript using esc_attr(), which is appropriate for HTML attributes but not JavaScript contexts. The combination creates a stored XSS condition through the REST API. The supplied source data identifies CWE-79 and a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Defensive priority

Medium. The issue requires authenticated access, but the impact includes script execution in victim browsers and potential session or content abuse within the site context. Prioritize remediation on any public-facing WordPress installation using Envira Gallery Lite at or below 1.12.4.

Recommended defensive actions

  • Inventory WordPress sites using Envira Gallery Lite and confirm the installed version.
  • Treat versions 1.12.4 and earlier as affected based on the supplied advisory.
  • Restrict Author-level and other content-editor accounts to the minimum necessary permissions.
  • Review REST API exposure and monitor for unexpected gallery configuration changes, especially the arrows parameter.
  • Apply the vendor fix or upgrade guidance from the official plugin source when available.
  • Validate that any inline JavaScript output uses JavaScript-safe escaping, not HTML attribute escaping.
  • Check existing gallery content and recently modified pages for unexpected injected script behavior.

Evidence notes

This debrief is based only on the supplied advisory corpus and linked official references. The GitHub Advisory Database entry states the vulnerability affects Envira Gallery Lite up to 1.12.4 and identifies unsafe sanitization in update_gallery_data() plus improper escaping in gallery_init(). The WordPress Trac references point to the affected code locations. The advisory was published on 2026-05-14 at 06:31:32Z and modified at 06:31:40Z per the supplied timeline. No KEV listing is present in the supplied data.

Official resources

Publicly disclosed on 2026-05-14 in the supplied advisory corpus. The source record is unreviewed in GitHub Advisory Database terms, and no KEV entry is present in the provided data.