PT-2026-31073 · WordPress · Lightpress Lightbox
Published
2026-04-08
·
Updated
2026-04-08
·
CVE-2026-4379
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
LightPress Lightbox plugin for WordPress versions up to and including 2.3.4
Description
The LightPress Lightbox plugin for WordPress is susceptible to Stored Cross-Site Scripting through the
group attribute within the [gallery] shortcode. The plugin improperly handles the group attribute value, failing to properly escape it when modifying gallery shortcode output. This allows authenticated attackers with Contributor-level access or higher to inject malicious web scripts into pages. These scripts will then execute whenever a user accesses the compromised page.Recommendations
Update the LightPress Lightbox plugin to a version later than 2.3.4.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lightpress Lightbox