CVE-2026-4300: Robo Gallery WordPress XSS Vulnerability

CVE-2026-4300 Overview

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Robo Gallery plugin for WordPress, affecting all versions up to and including 5.1.3. The vulnerability exists in the 'Loading Label' setting and allows authenticated attackers with Author-level access or higher to inject arbitrary JavaScript code that executes when users view pages containing the affected gallery shortcode.

The vulnerability stems from an insecure custom marker pattern (|***...***|) used by the plugin's fixJsFunction() method to embed raw JavaScript function references within JSON-encoded configuration objects. While the plugin sanitizes input with sanitize_text_field(), this function only strips HTML tags and does not filter the custom marker pattern, allowing malicious payloads to bypass sanitization and achieve script execution on the frontend.

Critical Impact

Authenticated attackers with Author-level privileges can inject persistent malicious scripts that execute in visitors' browsers, potentially leading to session hijacking, credential theft, defacement, or further attacks against site users.

Affected Products

• Robo Gallery plugin for WordPress versions up to and including 5.1.3

Discovery Timeline

• April 8, 2026 - CVE-2026-4300 published to NVD
• April 8, 2026 - Last updated in NVD database

Technical Details for CVE-2026-4300

Vulnerability Analysis

The Robo Gallery plugin implements a custom mechanism for embedding JavaScript function references within JSON-encoded gallery configuration objects. The fixJsFunction() method uses a distinctive |***...***| marker pattern to identify values that should be treated as raw JavaScript rather than JSON strings.

When gallery options are rendered on the frontend, the plugin uses PHP's json_encode() function, which naturally wraps all string values in double quotes. The fixJsFunction() method subsequently strips the "|*** and ***|" sequences, effectively converting what appears to be a quoted JSON string value into executable raw JavaScript code within inline <script> tags via the renderMainBlock() function.

The Loading Label field (stored as rbs_gallery_LoadingWord post_meta) is defined as an rbstext type field. While the plugin sanitizes this input using WordPress's sanitize_text_field() function upon save, this sanitization approach only removes HTML tags and certain special characters—it does not filter the |***...***| marker sequences because they contain no HTML markup.

The gallery post type is registered with capability_type => 'post', which grants Author-level users the ability to create and modify gallery entries. This means any compromised or malicious Author account can exploit this vulnerability to inject persistent XSS payloads that affect all visitors to pages containing the compromised gallery.

Root Cause

The root cause is insufficient input validation and an insecure design pattern for embedding JavaScript within JSON structures. The plugin's reliance on sanitize_text_field() alone fails to account for the custom |***...***| marker syntax that triggers raw JavaScript injection during frontend rendering. The markers themselves are not HTML and therefore pass through sanitization unmodified, creating a sanitization bypass that leads to arbitrary script execution.

Attack Vector

An attacker with Author-level access creates or edits a gallery and enters a malicious payload such as |***alert(document.domain)***| in the Loading Label field. This value passes through sanitize_text_field() intact since it contains no HTML tags. When stored in the rbs_gallery_LoadingWord post_meta and subsequently rendered on the frontend, the fixJsFunction() method strips the quote markers, converting the string into raw JavaScript code that executes within the inline script block generated by renderMainBlock().

The attack requires network access and low-privilege authentication (Author role), but once the malicious gallery is published, the injected script executes automatically for any user who visits a page containing the gallery shortcode, without requiring any additional user interaction.

Detection Methods for CVE-2026-4300

Indicators of Compromise

• Presence of |*** and ***| patterns in rbs_gallery_LoadingWord post_meta values in the WordPress database
• Unexpected JavaScript code appearing in gallery configuration inline scripts on frontend pages
• User reports of suspicious browser behavior or pop-ups when viewing gallery pages
• Audit logs showing gallery modifications by Author-level users with unusual field values

Detection Strategies

• Implement database monitoring to scan wp_postmeta entries for the rbs_gallery_LoadingWord meta_key containing |*** marker patterns
• Deploy Web Application Firewall (WAF) rules to detect and block requests containing the |***...***| pattern in POST data
• Review server access logs for POST requests to WordPress admin endpoints that include the suspicious marker pattern in request bodies

Monitoring Recommendations

• Enable WordPress audit logging to track all gallery creation and modification events by Author-level users
• Configure browser-based Content Security Policy (CSP) violation reporting to detect inline script injection attempts
• Implement periodic database integrity scans to identify anomalous post_meta entries containing JavaScript patterns

How to Mitigate CVE-2026-4300

Immediate Actions Required

• Update the Robo Gallery plugin to a patched version as soon as one becomes available from the developer
• Audit all existing gallery entries in the WordPress database for suspicious |***...***| patterns in the Loading Label field
• Temporarily restrict gallery creation and editing permissions to Administrator-level users only
• Consider temporarily disabling the Robo Gallery plugin if immediate patching is not possible

Patch Information

A changeset addressing this vulnerability has been committed to the WordPress plugin repository. Site administrators should update to the latest available version of Robo Gallery through the WordPress admin interface or by downloading directly from the WordPress plugin repository. The WordPress Robo Gallery Changeset contains the security fix. Additional vulnerability details are available in the Wordfence Vulnerability Report.

Workarounds

• Implement custom input validation to sanitize or reject the |*** marker pattern in gallery settings before storage
• Use a Web Application Firewall to filter requests containing the malicious marker pattern
• Restrict the edit_posts capability for untrusted users to prevent gallery manipulation until a patch is applied

# Database query to identify potentially compromised galleries
wp db query "SELECT post_id, meta_value FROM wp_postmeta WHERE meta_key = 'rbs_gallery_LoadingWord' AND meta_value LIKE '%|***%'"