CVE-2026-3347

Name of the Vulnerable Software and Affected Versions Multi Functional Flexi Lightbox plugin for WordPress versions prior to 1.3

Description The software is susceptible to Stored Cross-Site Scripting through the arv lb[message] parameter. Insufficient input sanitization and output escaping allow authenticated attackers with Administrator-level access to inject arbitrary web scripts into pages. These scripts execute when a user accesses a page or post with the lightbox enabled. The arv lb options val() sanitize callback returns user input without sanitization, and the stored message value is output in the genLB() function without escaping.

Recommendations Update the Multi Functional Flexi Lightbox plugin to version 1.3 or later.