MEDIUM 5.4

CVE-2026-5191: Stored XSS in Tiled Gallery Carousel Without JetPack WordPress Plugin

The Tiled Gallery Carousel Without JetPack WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in versions up to 3.1. An attacker with contributor-level access or higher can inject malicious scripts into gallery image titles that will execute in the browsers of anyone viewing the affected page. This is a persistence concern because the malicious code is permanently stored in the site's database.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

The Tiled Gallery Carousel Without JetPack plugin for WordPress is vulnerable to stored cross-site scripting via the 'data-image-title' parameter in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-5191 is a stored XSS vulnerability (CWE-79) in the Tiled Gallery Carousel Without JetPack plugin affecting all versions through 3.1. The vulnerability stems from insufficient input sanitization and output escaping of the 'data-image-title' parameter. Authenticated users with contributor privileges or above can inject arbitrary JavaScript that persists in the page markup and executes in the context of subsequent visitor sessions, potentially achieving credential theft, session hijacking, or malware distribution within the WordPress environment.

Business impact

A successful attack could allow a malicious insider or compromised contributor account to deface pages, harvest visitor credentials, redirect users to phishing sites, or distribute malware. Multi-site WordPress installations are particularly at risk if contributor accounts are provisioned across multiple blogs. Customer trust, site integrity, and potential compliance violations (depending on data exposure) are the primary business concerns.

Affected systems

WordPress installations using the Tiled Gallery Carousel Without JetPack plugin version 3.1 and earlier are affected. The vulnerability requires authenticated access at the contributor level or above, limiting exposure to internal team members, clients with editing privileges, or attackers who have compromised such accounts. Sites running the plugin on publicly accessible WordPress instances represent higher risk.

Exploitability

Exploitation requires valid WordPress authentication and contributor-or-above privileges. An attacker cannot exploit this remotely as an unauthenticated user. However, in environments where contributor accounts are loosely controlled or shared, or where account compromise is likely, the threat is elevated. The attack itself is trivial once access is obtained: injecting malicious HTML/JavaScript into the 'data-image-title' parameter and publishing the page. No user interaction beyond viewing the page is required for the payload to execute.

Remediation

Update the Tiled Gallery Carousel Without JetPack plugin to a patched version beyond 3.1 as soon as available from the plugin repository. Until a patch is released, consider disabling the plugin, restricting contributor access to only trusted administrators, or using Web Application Firewall (WAF) rules to filter malicious payloads in gallery parameters. Review contributor accounts for suspicious activity and audit recent page edits.

Patch guidance

Check the WordPress plugin directory for available updates to the Tiled Gallery Carousel Without JetPack plugin. Patches addressing this vulnerability should be released by the plugin maintainer. Apply updates through the WordPress admin dashboard or via command line (wp plugin update). Verify patch deployment by confirming the running plugin version post-update. If no patch is available within a reasonable timeframe, consider migrating to an alternative gallery plugin or forking the code to apply a fix internally.

Detection guidance

Monitor for unusual modifications to pages and posts using the Tiled Gallery Carousel Without JetPack plugin, particularly edits by lower-privileged accounts. Inspect the 'data-image-title' parameter values in affected pages for JavaScript patterns (script tags, event handlers, encoded payloads). Check WordPress edit logs and revision history for suspicious contributor activity. Web application firewalls can flag attempts to inject script-like content into image title fields. Review site performance logs for unexpected JavaScript execution.

Why prioritize this

Although the CVSS score is MEDIUM (5.4), prioritization should be elevated in environments with loose contributor access controls or shared account credentials. The stored nature of this XSS creates persistent risk, and the ease of exploitation once authenticated makes rapid patching important. Organizations with public-facing WordPress sites and multiple contributors should patch quickly; those with highly restricted contributor access can take a more measured approach.

Risk score, explained

The CVSS 3.1 score of 5.4 reflects network accessibility (AV:N) but requires authenticated access (PR:L) and user interaction (UI:R) to trigger the payload execution. The impact is confidentiality and integrity compromise (C:L, I:L) with no availability impact (A:N), and the scope is changed (S:C), indicating cross-system consequences. The score appropriately captures that this is not a critical flaw but demands attention given the ease of exploitation and persistence mechanism.

Frequently asked questions

Can an unauthenticated attacker exploit this vulnerability?

No. This vulnerability requires valid WordPress authentication with contributor-level access or higher. Unauthenticated users cannot inject the malicious payload. However, if a contributor account is compromised or if your site provides loose access to external partners, the attack surface widens.

What versions of the Tiled Gallery Carousel Without JetPack plugin are affected?

All versions up to and including version 3.1 are vulnerable. Any installation running this plugin on version 3.1 or earlier should be considered at risk. Check your WordPress admin dashboard under Plugins to verify your running version.

What happens if I cannot update the plugin immediately?

Immediately restrict contributor access to only fully trusted, well-secured accounts. Disable the plugin entirely if it is not critical to site operations. Implement a Web Application Firewall rule to filter suspicious characters or script tags in image title parameters. Audit recent page edits for injected content and review user account activity logs.

How do I check if my site has already been compromised by this vulnerability?

Review the HTML source code and page revisions of pages using this gallery plugin, looking for unexpected JavaScript or script tags in the 'data-image-title' field. Check WordPress user activity logs and post edit history for unauthorized modifications by contributor accounts. Consider a security audit if you suspect compromise.

This analysis is based on CVE-2026-5191 published data as of June 17, 2026. Patch availability, affected vendor versions, and remediation timelines are subject to change; verify current guidance directly with the plugin maintainer and your WordPress security resources. SEC.co provides this information for security professionals to inform risk decisions and does not warrant completeness or freedom from error. Test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).