{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4085", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T20:51:56.076Z", "datePublished": "2026-04-22T07:45:38.938Z", "dateUpdated": "2026-04-22T07:45:38.938Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:38.938Z"}, "affected": [{"vendor": "maltathemes", "product": "Easy Social Photos Gallery \u2013 MIF", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper_class' shortcode attribute of the 'my-instagram-feed' shortcode in all versions up to, and including, 3.1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. Specifically, the plugin uses sanitize_text_field() instead of esc_attr() when outputting the 'wrapper_class' attribute inside a double-quoted HTML class attribute. Since sanitize_text_field() does not encode double quotes, an attacker can break out of the class attribute and inject arbitrary HTML event handlers. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Easy Social Photos Gallery <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wrapper_class' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8640724c-0bd4-4684-9fd1-027f2af64e67?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/my-instagram-feed/tags/3.1.2/frontend/class-my-instagram-feed-frontend.php#L53"}, {"url": "https://plugins.trac.wordpress.org/browser/my-instagram-feed/trunk/frontend/views/feed.php#L102"}, {"url": "https://plugins.trac.wordpress.org/browser/my-instagram-feed/tags/3.1.2/frontend/views/feed.php#L102"}, {"url": "https://plugins.trac.wordpress.org/browser/my-instagram-feed/trunk/frontend/class-my-instagram-feed-frontend.php#L53"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-04-21T19:06:46.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper_class' shortcode attribute of the 'my-instagram-feed' shortcode in all versions up to, and including, 3.1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. Specifically, the plugin uses sanitize_text_field() instead of esc_attr() when outputting the 'wrapper_class' attribute inside a double-quoted HTML class attribute. Since sanitize_text_field() does not encode double quotes, an attacker can break out of the class attribute and inject arbitrary HTML event handlers. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4085", "lastModified": "2026-04-22T09:16:22.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:22.417", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/my-instagram-feed/tags/3.1.2/frontend/class-my-instagram-feed-frontend.php#L53"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/my-instagram-feed/tags/3.1.2/frontend/views/feed.php#L102"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/my-instagram-feed/trunk/frontend/class-my-instagram-feed-frontend.php#L53"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/my-instagram-feed/trunk/frontend/views/feed.php#L102"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8640724c-0bd4-4684-9fd1-027f2af64e67?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Easy Social Photos Gallery \u2013 MIF", "source": "cna", "vendor": "maltathemes"}, "product": "easy_social_photos_gallery_\u2013_mif", "vendor": "maltathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T09:24:13.681340+00:00", "value": {"mitigation_remediation": ["Upgrade Easy Social Photos Gallery to the latest supported release.", "If an upgrade is not possible, remove or restrict usage of the my\u2011instagram\u2011feed shortcode and deny contributor access to editing it.", "Identify and delete any existing wrapper_class attributes that contain injected payloads in posts, pages or widgets.", "Implement a Content\u2011Security\u2011Policy that blocks inline scripts to mitigate potential XSS exploitation."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running Easy Social Photos Gallery plugin version 3.1.2 or earlier are affected. The vulnerability is triggered by the my\u2011instagram\u2011feed shortcode\u2019s wrapper_class attribute, which is rendered in pages, posts, or widgets.", "description_and_impact": "The Easy Social Photos Gallery plugin for WordPress has a stored XSS flaw in versions 3.1.2 and older. The plugin uses sanitize_text_field() for the wrapper_class shortcode attribute instead of esc_attr(), allowing a contributor\u2011level user to insert an unescaped double quote and inject arbitrary HTML event handlers. When a user visits a page that has the injected attribute, the malicious script runs in that user\u2019s browser, revealing confidentiality or allowing further attacks.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity. No EPSS score is available and the issue is not listed in CISA KEV, suggesting current exploitation is not widespread. However, because the attacker must be authenticated with at least contributor privileges, the attack vector is restricted to local contributors who can edit the shortcode attributes. Once an attacker injects a payload, every visitor to the affected page will execute the script, enabling data theft or defacement."}}}}, "created": "2026-04-22T09:30:13.553848+00:00", "updated": "2026-04-22T11:44:00.981459+00:00", "vendors": ["maltathemes", "maltathemes$PRODUCT$easy_social_photos_gallery_\u2013_mif", "wordpress", "wordpress$PRODUCT$wordpress"]}