Authenticated Contributor Stored XSS in Tiled Gallery Carousel — What WordPress Site Owners Should Do Now

By: Hong Kong Security Expert   |   Date: 2026-06-02

We identified a stored cross-site scripting (XSS) issue in the Tiled Gallery Carousel plugin (vulnerable up to and including 3.1). An authenticated user with a Contributor-level account can inject HTML/JavaScript that is later rendered to site visitors. This vulnerability is tracked as CVE-2026-5191 and carries a CVSS score of 6.5. At the time of writing there is no vendor patch available.

If your WordPress site uses a tiled gallery/carousel plugin variant that removes certain integrations, treat this as a high-priority review even if traffic is low — such vulnerabilities are commonly abused in mass exploit campaigns.

TL;DR (Quick summary)

• Vulnerability: Stored XSS. Contributor role can store HTML/JavaScript that is output on the public site.
• Affected plugin: Tiled gallery / carousel plugin variant (vulnerable ≤ 3.1).
• CVE: CVE-2026-5191. CVSS: 6.5 (medium).
• User interaction: Attacker needs an authenticated account with Contributor privilege; victim must visit a page that renders the malicious content.
• Immediate defensive options:
  • Temporarily disable the plugin or restrict creation/editing of galleries.
  • Remove unnecessary Contributor accounts.
  • Apply edge or application-level rules to block script tags and inline event handlers in gallery fields.
  • Sanitize existing gallery postmeta and post_content for script tags.
• Longer-term: Apply vendor patch when available, implement least privilege, adopt virtual patching and monitoring, and review user roles and workflows.

Why stored XSS from a Contributor is serious (even if CVSS is “medium”)

Although Contributors cannot publish directly, many gallery plugins allow them to create or edit gallery data that is later published by Editors or Administrators. If the plugin fails to properly sanitize or escape stored data, that content can execute in the browser of any visitor who views the gallery — including higher-privileged users.

Stored XSS enables an attacker to:

• Execute arbitrary JavaScript in visitors’ browsers (session theft, privilege escalation in some contexts).
• Inject redirects to phishing pages, stealth SEO spam, or defacement.
• Persist malicious scripts as backdoors for later exploitation.
• Deliver further client-side exploits or browser-based CSRF that target logged-in admin users.

Because gallery captions, alt-text or JSON blobs often look innocuous, malicious content can remain hidden for long periods and can be leveraged in mass-exploitation once a reliable injection point is known.

How the vulnerability typically works (technical overview)

1. The plugin accepts rich or semi-structured data from contributors (e.g., gallery titles, captions, settings, JSON blobs stored as postmeta).
2. The plugin fails to sanitize or escape certain fields before saving (or fails to escape on output).
3. The contributor submits a payload containing a )/is', '', $item ); $item = preg_replace( '/on\w+\s*=/i', '', $item ); } ); $new_value = wp_json_encode( $decoded ); update_post_meta( $post_ID, $meta_key, $new_value ); } else { // Plain HTML/text: strip script tags and dangerous attributes $clean = wp_kses( $value, wp_kses_allowed_html( 'post' ) ); $clean = preg_replace( '/(]*>.*?)/is', '', $clean ); $clean = preg_replace( '/on\w+\s*=/i', '', $clean ); update_post_meta( $post_ID, $meta_key, $clean ); } } } ?>

   Important:

   • This is a short-term mitigation. Test on staging before deploying.
   • Replace placeholder meta keys with the actual ones used by your plugin (inspect wp_postmeta as needed).
   • Use wp_kses with an allowed HTML whitelist that fits your site. Do not allow raw
     Review My Order

     0

     Subtotal

     Taxes & shipping calculated at checkout

     Checkout