CVE-2021-47951

MEDIUM

WordPress Picture Gallery 1.4.2 Stored XSS via Edit Content URL

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47951. PoCs published by Aryan Chehreghani.

AI-analyzed exploit summary This is a technical writeup detailing a stored XSS vulnerability in the WordPress Picture Gallery plugin version 1.4.2. The exploit involves injecting a malicious script into the 'Edit Content URL' field, which executes when the functionality is triggered.

Description

WordPress Picture Gallery 1.4.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Edit Content URL field in the Access Control settings. Attackers can enter JavaScript payloads in the plugin options that are stored in the database and executed when the functionality is triggered, enabling session hijacking or credential theft.

Exploits (1)

exploitdb WRITEUP
by Aryan Chehreghani · textwebappsphp
https://www.exploit-db.com/exploits/50187

This is a technical writeup detailing a stored XSS vulnerability in the WordPress Picture Gallery plugin version 1.4.2. The exploit involves injecting a malicious script into the 'Edit Content URL' field, which executes when the functionality is triggered.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin Picture Gallery 1.4.2
Auth required
Prerequisites: WordPress 5.8 · Picture Gallery plugin 1.4.2 · Admin access to the plugin settings
devstral-2 · analyzed May 10, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-50187
https://www.exploit-db.com/exploits/50187
Product product
Product Reference
https://wordpress.org/plugins/picture-gallery/
Third Party Advisory third-party-advisory
VulnCheck Advisory: WordPress Picture Gallery 1.4.2 Stored XSS via Edit Content URL
https://www.vulncheck.com/advisories/wordpress-picture-gallery-stored-xss-via-edit-content-url

Scores

CVSS v3 6.4
EPSS 0.0019
EPSS Percentile 8.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
picture-gallery/Picture Gallery 1.4.2
Published May 10, 2026
Tracked Since May 10, 2026