CVE-2024-5878

Name of the Vulnerable Software and Affected Versions: WordPress plugins (affected versions not specified)

Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the SimpleLightbox JavaScript library, version 2.1.5, which is bundled with multiple WordPress plugins. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages. These scripts will execute when a user accesses an injected page.

Recommendations: For all affected versions, consider disabling the SimpleLightbox library until a patch is available. Restrict access to the plugin's settings to minimize the risk of exploitation by limiting user access to contributor-level and above roles. Avoid using user-supplied attributes in the SimpleLightbox library until the issue is resolved.