CVE-2026-1706 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the All-in-One Video Gallery plugin for WordPress, developed by plugins360. This vulnerability affects all versions up to and including 4.7.1. The root cause is insufficient sanitization and escaping of the 'vi' parameter during web page generation, which allows an attacker to inject arbitrary JavaScript code. Because the vulnerability is reflected, the malicious payload is embedded in a crafted URL or request that, when clicked or visited by a user, executes in the context of the victim's browser. The attacker does not require authentication to exploit this flaw, but user interaction is necessary to trigger the payload. The vulnerability impacts confidentiality and integrity by enabling theft of cookies, session tokens, or performing unauthorized actions on behalf of the user. The CVSS 3.1 score is 6.1, indicating medium severity, with an attack vector over the network, low attack complexity, no privileges required, but user interaction needed, and scope changed due to potential impact on user sessions. No patches or official fixes are currently linked, and no known exploits are reported in the wild. Given the widespread use of WordPress and the popularity of video gallery plugins, this vulnerability poses a notable risk to websites using this plugin, especially those with high user interaction or sensitive user data.

The primary impact of CVE-2026-1706 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers can steal session cookies, enabling account hijacking, or perform actions on behalf of users, such as changing settings or posting unauthorized content. While availability is not directly affected, the reputational damage and loss of user trust can be significant. The vulnerability can be exploited remotely without authentication, increasing the attack surface. Organizations running websites with this plugin may face targeted phishing campaigns to lure users into clicking malicious links. This can lead to data breaches, unauthorized access, and potential lateral movement if administrative accounts are compromised. The medium severity score reflects that while the vulnerability is serious, it requires user interaction and does not directly allow remote code execution or system compromise. However, in environments with high-value targets or sensitive data, the risk is elevated.

1. Immediate mitigation involves updating the All-in-One Video Gallery plugin to a version that addresses this vulnerability once released by plugins360. 2. Until a patch is available, implement Web Application Firewall (WAF) rules to detect and block suspicious requests containing malicious scripts in the 'vi' parameter. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected web pages. 4. Sanitize and validate all user inputs at the application level, especially parameters reflected in responses. 5. Educate users and administrators about the risks of clicking unsolicited links and encourage cautious behavior. 6. Monitor web server logs for unusual or suspicious requests targeting the 'vi' parameter. 7. Consider disabling or replacing the plugin if immediate patching is not feasible, especially on high-risk sites. 8. Regularly review and update security controls and conduct penetration testing focused on XSS vulnerabilities.