What the vulnerability does
01Description
The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in versions up to, and including, 3.1.31 This is due to an incomplete JavaScript event handler blacklist in the foogallery_sanitize_javascript() function, which blocks only a subset of HTML event attributes (onmouseover, onmouseout, onpointerenter, onclick, onload, onchange, onerror) while permitting others such as 'onmouseenter', combined with the failure to escape the attribute key when building the gallery container HTML in foogallery_build_container_attributes_safe(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Explanation of Vulnerability in Simple Terms
02Summary
Photo Gallery by FooGallery versions up to 3.1.31 contain a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts. The vulnerability has a changed scope, meaning injected code can affect other users and site functionality. An attacker with low-level access can craft malicious input that executes in other users' browsers without requiring user interaction.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in other users' browsers and affects site functionality.
Potential impact on your site
04Site Impact
Authenticated users can inject scripts affecting other visitors and site operations; data theft or account compromise possible.
Conditions required to exploit
05Prerequisites
Attacker must have a low-level user account on the site; no user interaction required.
Key dates
06Disclosure timeline
June 13, 2026
CVE published
June 15, 2026
Record updated
