CVE-2026-1302 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Meta-box GalleryMeta plugin for WordPress, versions up to and including 3.0.1. The root cause is insufficient input sanitization and output escaping in the plugin’s admin settings interface, allowing authenticated users with editor-level permissions or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed whenever any user visits the compromised page. The vulnerability is limited to multi-site WordPress installations or those where the unfiltered_html capability is disabled, which restricts the ability to post raw HTML. The attack vector requires network access (remote) and high privileges (editor or above), but no user interaction is needed for the payload to execute once injected. The vulnerability affects confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed in the context of the victim’s browser. The CVSS v3.1 score is 4.4 (medium), reflecting the complexity of exploitation and limited scope. No public exploits have been reported yet, but the vulnerability is significant given the widespread use of WordPress and the Meta-box GalleryMeta plugin in multi-site environments.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted WordPress environments, potentially compromising user sessions, stealing sensitive data, or performing unauthorized actions on behalf of users. Multi-site WordPress setups are common in enterprises and educational institutions, increasing the risk surface. The exploitation could result in data breaches, reputational damage, and compliance violations under GDPR if personal data is exposed. Since the attack requires editor-level access, insider threats or compromised editor accounts pose a significant risk. The lack of user interaction needed for script execution means that once the malicious code is injected, any user accessing the affected page is at risk. This could facilitate lateral movement within an organization’s web infrastructure or enable phishing campaigns leveraging the trusted site context.

European organizations should immediately audit their WordPress installations to identify use of the Meta-box GalleryMeta plugin, especially in multi-site configurations. Applying vendor patches or updates once available is critical. Until patches are released, restrict editor-level permissions to trusted users only and monitor for unusual admin activity. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections or payloads targeting the plugin’s admin settings. Enable Content Security Policy (CSP) headers to limit script execution sources and reduce impact of injected scripts. Regularly review and sanitize all inputs in admin interfaces and consider disabling or limiting use of the plugin if not essential. Conduct security awareness training for administrators and editors about the risks of XSS and safe content management practices. Finally, maintain robust logging and monitoring to detect exploitation attempts early.