PatchSiren cyber security CVE debrief
CVE-2021-47951 Wordpress CVE debrief
CVE-2021-47951 describes a stored cross-site scripting issue in WordPress Picture Gallery 1.4.2. An authenticated attacker can place malicious script content in the plugin’s Access Control settings via the Edit Content URL field, where it is stored and later executed when the affected functionality is used. The main security impact is browser-side compromise of other users’ sessions or credentials, especially in environments where plugin settings are accessible to less-trusted authenticated accounts.
- Vendor
- Wordpress
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
WordPress site administrators, security teams, and plugin maintainers should care most if Picture Gallery 1.4.2 is deployed. Risk is higher on sites that allow multiple authenticated roles to manage plugin options or that expose the affected admin workflow to lower-trust users.
Technical summary
The source record identifies this as CWE-79 (improper neutralization of input during web page generation). NVD metadata indicates network reachability with low attack complexity, low privileges required, and user interaction required. The vulnerability is stored XSS: attacker-supplied script is persisted in plugin data and later executed in a victim’s browser when the feature is triggered. The supplied description ties the issue specifically to the Edit Content URL field under Access Control settings in WordPress Picture Gallery 1.4.2.
Defensive priority
Medium. The issue requires authenticated access and user interaction, and there is no indication in the supplied corpus that it is a known exploited vulnerability. Still, stored XSS can directly impact administrator sessions and site trust, so affected deployments should treat it as a meaningful hardening priority.
Recommended defensive actions
- Confirm whether WordPress Picture Gallery 1.4.2 is installed anywhere in your environment.
- Review and restrict who can modify Access Control settings and related plugin options.
- Upgrade, replace, or remove the affected plugin if a fixed version is available from the vendor.
- Audit stored plugin settings for unexpected script-like content in the Edit Content URL field and adjacent configuration fields.
- Apply least-privilege principles so only trusted administrators can manage plugin configuration.
- Monitor for abnormal browser-side behavior or unexpected admin actions that could indicate stored XSS abuse.
Evidence notes
The supplied source corpus states that WordPress Picture Gallery 1.4.2 contains a stored XSS vulnerability through the Edit Content URL field in Access Control settings. NVD metadata classifies the issue as CWE-79 and includes a CVSS vector consistent with authenticated, user-interaction-required web exploitation. The corpus also lists a plugin reference page, an NVD record, a VulnCheck advisory, and an Exploit-DB reference URL; this debrief does not rely on any unsupported exploit details from those references.
Official resources
Publicly recorded in the supplied CVE/NVD material on 2026-05-10. The corpus references a VulnCheck advisory and related plugin page; no KEV entry is present in the provided data.