CVE-2026-1913 Overview
CVE-2026-1913 is a Stored Cross-Site Scripting (XSS) vulnerability in the Gallagher Website Design plugin for WordPress. The flaw affects all plugin versions up to and including 2.6.4. The root cause is insufficient input sanitization and output escaping on the prefix attribute of the plugin's login_link shortcode. Authenticated users with Contributor-level access or above can inject arbitrary JavaScript into pages. The malicious script then executes in the browser of any visitor who loads the affected page. The vulnerability is tracked under CWE-79.
Critical Impact
Authenticated contributors can persist JavaScript that executes against site visitors, enabling session theft, account takeover, and redirection to attacker-controlled infrastructure.
Affected Products
- Gallagher Website Design plugin for WordPress — all versions through 2.6.4
- WordPress sites permitting Contributor-level or higher registrations
- Any page or post embedding the plugin's login_link shortcode
Discovery Timeline
- 2026-04-22 - CVE-2026-1913 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-1913
Vulnerability Analysis
The vulnerability resides in the login_link shortcode handler located in gallagher-website-design.php at line 203. The shortcode accepts a prefix attribute supplied by the post author. The plugin renders the prefix value back into page HTML without sanitizing input or escaping output. Any script payload embedded in the prefix attribute persists in the post database and executes when the page is rendered to any visitor.
Because the attack requires only Contributor-level privileges, sites that allow open registration or have low-trust contributor accounts are directly exposed. The scope-changed nature of the issue means the injected script executes in the security context of the WordPress site, allowing the attacker to access cookies, session tokens, and the WordPress administrative interface if a privileged user visits the page.
Root Cause
The shortcode handler concatenates the user-supplied prefix attribute into the response markup without calling WordPress escaping functions such as esc_attr(), esc_html(), or wp_kses(). Missing input validation on shortcode attributes is the underlying weakness, classified as CWE-79: Improper Neutralization of Input During Web Page Generation.
Attack Vector
An attacker with Contributor-level access creates or edits a post containing the login_link shortcode and embeds a JavaScript payload inside the prefix attribute. After saving, the post stores the payload in the database. When a visitor, editor, or administrator loads the page, the browser executes the injected script. The attacker can use this primitive to exfiltrate authentication cookies, perform actions on behalf of administrators, or pivot to broader site compromise.
No verified exploit code is publicly available. Refer to the Wordfence Vulnerability Report and the WordPress Plugin Code Review for technical details on the vulnerable code path.
Detection Methods for CVE-2026-1913
Indicators of Compromise
- Posts or pages containing login_link shortcodes with prefix attribute values that include <script>, onerror, onload, javascript:, or HTML-encoded variants.
- Unexpected outbound requests from site visitors to attacker-controlled domains following page loads.
- New or modified Contributor accounts that have authored pages containing the plugin shortcode.
- WordPress audit log entries showing shortcode edits by low-privilege users.
Detection Strategies
- Query the wp_posts table for post_content matching login_link shortcodes with suspicious prefix values.
- Deploy a web application firewall (WAF) rule to inspect POST requests to wp-admin/post.php and admin-ajax.php for shortcode payloads containing script tokens.
- Review plugin source at the WordPress Plugin Source Code reference to baseline expected behavior.
Monitoring Recommendations
- Enable WordPress activity logging to capture post creation and edits by Contributor-level accounts.
- Monitor browser-side Content Security Policy (CSP) violation reports for unexpected script sources.
- Alert on creation of new Contributor accounts followed by rapid post publication.
How to Mitigate CVE-2026-1913
Immediate Actions Required
- Update the Gallagher Website Design plugin to a version newer than 2.6.4 once the vendor publishes a fix.
- Audit all existing posts and pages for the login_link shortcode and inspect prefix attribute values.
- Temporarily restrict Contributor account creation and review the trust level of existing Contributor users.
- Apply the principle of least privilege to all WordPress roles and remove unused author accounts.
Patch Information
Review the WordPress Plugin Changeset Details for the upstream remediation commit. The fix must apply esc_attr() to the prefix attribute prior to rendering it within HTML output. Site operators should verify the deployed plugin version matches a release containing the sanitization fix.
Workarounds
- Deactivate and remove the Gallagher Website Design plugin until a patched release is installed.
- Deploy a WAF rule blocking shortcode parameters containing <, >, or javascript: patterns in POST bodies to wp-admin endpoints.
- Enforce a strict Content Security Policy that disallows inline scripts, reducing the impact of stored XSS payloads.
- Restrict the Contributor role from using shortcodes by filtering the_content for untrusted authors.
# Configuration example: locate vulnerable shortcode usage in the database
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[login_link%prefix=%<%' AND post_status IN ('publish','draft','pending');"
# Disable the plugin site-wide until patched
wp plugin deactivate gallagher-website-design
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

