The DA Media GigList WordPress plugin, widely used for managing event listings, contains a stored cross-site scripting vulnerability identified as CVE-2026-1805. This vulnerability exists due to improper neutralization of input during web page generation (CWE-79). Specifically, the damedia_giglist shortcode fails to adequately sanitize and escape user-supplied attributes, allowing malicious scripts to be stored in the plugin's data and later executed in the context of users viewing the affected pages. The attack vector requires an attacker to have at least contributor-level privileges on the WordPress site, enabling them to inject arbitrary JavaScript code. When other users, including administrators or editors, access the compromised page, the injected scripts execute, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability does not require user interaction beyond page access and does not impact system availability. The CVSS 3.1 base score of 6.4 reflects a network attack vector with low attack complexity, requiring privileges but no user interaction, and causing partial confidentiality and integrity impacts. No patches or official fixes are currently available, and no exploits have been observed in the wild. This vulnerability underscores the importance of strict input validation and output encoding in WordPress plugins, especially those handling user-generated content.

This vulnerability poses a moderate risk to organizations running WordPress sites with the DA Media GigList plugin installed. Successful exploitation can lead to unauthorized script execution in the context of site users, potentially allowing attackers to steal session cookies, perform actions on behalf of other users, or inject malicious content that damages the site's reputation. While availability is not impacted, the confidentiality and integrity of user data and site content can be compromised. Organizations with multiple contributors or editors are at higher risk, as these roles can be leveraged to inject malicious payloads. The vulnerability could be exploited to facilitate further attacks such as phishing, malware distribution, or privilege escalation within the WordPress environment. Given WordPress's widespread use, the vulnerability could affect a broad range of sectors including media, education, e-commerce, and government websites that use this plugin. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code could emerge.

To mitigate this vulnerability, organizations should immediately restrict contributor-level access to trusted users only, minimizing the risk of malicious script injection. Site administrators should monitor and audit content created via the damedia_giglist shortcode for suspicious or unexpected scripts. Applying strict Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script sources and execution contexts. Until an official patch is released, consider disabling or uninstalling the DA Media GigList plugin if feasible. Alternatively, implement custom input validation and output escaping in the plugin code to sanitize user-supplied attributes properly. Regularly update WordPress core and plugins to incorporate security fixes. Employ web application firewalls (WAFs) with rules targeting XSS payloads to detect and block exploitation attempts. Finally, educate contributors about safe content practices and the risks of injecting untrusted code.