CVE-2026-5361: XSS in Envira Gallery Lite WordPress Plugin

An attacker exploiting this XSS vulnerability could inject arbitrary JavaScript code into the Envira Gallery Lite plugin. This code could then be executed in the browsers of users viewing the affected gallery. The impact ranges from simple defacement and redirection to more severe consequences like stealing session cookies, phishing attacks, or even gaining control of the user's WordPress account. The REST API endpoint is a common target for such attacks, and successful exploitation could impact a significant number of WordPress sites using the Envira Gallery Lite plugin. The lack of proper sanitization of the 'arrows' parameter is the root cause, allowing attackers to bypass security measures.

1. 予約済み2026-04-01
2. 公開日2026-05-13
3. 更新日2026-05-14

The primary mitigation for CVE-2026-5361 is to upgrade the Envira Gallery Lite plugin to version 1.12.5 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests to the vulnerable REST API endpoint with suspicious parameters. Carefully review any custom code interacting with the gallery data to ensure proper input sanitization and output escaping. Monitor WordPress logs for unusual activity or attempts to access the REST API with potentially malicious payloads.