CVE-2026-1302 is a stored cross-site scripting (XSS) vulnerability identified in the Meta-box GalleryMeta plugin for WordPress, maintained by the vendor shahinurislam. This vulnerability exists in all versions up to and including 3.0.1 and arises due to improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping in the plugin's admin settings interface. The flaw allows authenticated attackers with editor-level permissions or higher to inject arbitrary JavaScript code into pages managed by the plugin. These malicious scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability is constrained to WordPress multi-site installations or single-site installations where the unfiltered_html capability is disabled, limiting the attack surface. The CVSS v3.1 score is 4.4 (medium severity), reflecting that exploitation requires network access, high attack complexity, and high privileges, but no user interaction is needed. The vulnerability affects confidentiality and integrity to a limited extent but does not impact availability. No public exploits have been reported yet, but the presence of this vulnerability in a widely used CMS plugin poses a risk, especially in environments with multiple users and complex permission structures.

For European organizations, this vulnerability poses a moderate risk primarily in environments using WordPress multi-site installations with the Meta-box GalleryMeta plugin. Exploitation could allow attackers with editor-level access to inject malicious scripts, potentially compromising user sessions, stealing sensitive information, or performing unauthorized actions within the CMS. This could lead to data leakage, defacement, or further compromise of the website and connected systems. Organizations relying on WordPress for public-facing or internal portals may face reputational damage and operational disruption. The impact is more pronounced in sectors with strict data protection regulations such as GDPR, where unauthorized data exposure can lead to legal and financial penalties. Since the vulnerability requires elevated privileges, the risk is mitigated somewhat by proper access controls, but insider threats or compromised editor accounts increase exposure. The lack of known exploits reduces immediate risk but does not eliminate the need for proactive measures.

European organizations should immediately audit their WordPress environments to identify installations of the Meta-box GalleryMeta plugin, particularly focusing on multi-site setups or those with unfiltered_html disabled. Since no official patch links are provided yet, administrators should consider the following mitigations: restrict editor-level permissions strictly to trusted users, implement web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the plugin, and monitor logs for suspicious admin setting changes. Additionally, consider disabling or removing the Meta-box GalleryMeta plugin if it is not essential. Organizations should also ensure that WordPress core and all plugins are regularly updated once patches become available. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts. Finally, conduct user training to recognize potential phishing or social engineering attempts that could lead to privilege escalation.