CVE-2026-1302 is a stored cross-site scripting vulnerability identified in the Meta-box GalleryMeta plugin for WordPress, maintained by shahinurislam. The flaw exists in all versions up to and including 3.0.1 due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of admin-configured settings. This allows authenticated users with editor-level permissions or higher to inject arbitrary JavaScript code into pages. The malicious scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious actions within the WordPress environment. The vulnerability is constrained to multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting its scope. Exploitation requires authenticated access with elevated privileges, and no user interaction is necessary after injection. The CVSS v3.1 base score of 4.4 reflects a medium severity, considering the network attack vector, high attack complexity, and the requirement for privileges. No public exploits have been reported so far, but the vulnerability poses a risk to sites using this plugin in multi-site configurations. The lack of available patches at the time of disclosure necessitates immediate mitigation steps by administrators.

The primary impact of CVE-2026-1302 is the potential for attackers with editor-level access to execute arbitrary JavaScript in the context of the affected WordPress site. This can lead to session hijacking, defacement, unauthorized actions performed on behalf of other users, or the injection of malicious content. Since the vulnerability affects multi-site installations or those with unfiltered_html disabled, it can compromise multiple sites within a network, amplifying the damage. The requirement for authenticated access with elevated privileges limits the attack surface but does not eliminate risk, especially in environments with multiple editors or compromised credentials. The vulnerability does not directly affect availability but compromises confidentiality and integrity. Organizations relying on the Meta-box GalleryMeta plugin in multi-site WordPress setups face increased risk of internal attacks or lateral movement by malicious insiders or compromised accounts.

Administrators should immediately audit user permissions to ensure only trusted users have editor-level or higher access. Restricting editor permissions or temporarily disabling the Meta-box GalleryMeta plugin in multi-site environments can reduce exposure. Since no official patch is available at disclosure, applying Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the plugin’s admin settings is recommended. Enabling Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly monitoring logs for unusual admin activity and scanning for injected scripts on pages is critical. Once a patch is released, prompt updating of the plugin is essential. Additionally, consider enabling two-factor authentication for all users with elevated privileges to reduce the risk of credential compromise leading to exploitation.