CVE-2026-4805

Name of the Vulnerable Software and Affected Versions Woostify versions prior to 2.5.1

Description The Woostify plugin for WordPress contains a Stored Cross-Site Scripting issue caused by insufficient input sanitization and output escaping in the bundled Lity.js lightbox library. User-controlled input from the href attribute is concatenated directly into a jQuery HTML string without proper cleaning. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which then execute when a user visits the affected page.

Recommendations Update the plugin to a version later than 2.5.0.