CVE-2026-1430
Stored XSS in WP Lightbox 2 Plugin Allows Admin Exploitation
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_lightbox | wp_lightbox_2 | to 3.0.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WP Lightbox 2 WordPress plugin version is prior to 3.0.7, as those versions are vulnerable.
Additionally, detection can involve inspecting the 'Additional text below image info' field within the Lightbox General Settings for suspicious or malicious JavaScript payloads such as `"><img src=x onerror=alert(777)>`.
Since this is a stored Cross-Site Scripting vulnerability exploitable by high privilege users, monitoring for unusual shortcode blocks containing HTML like `<a href="images/image-1.jpg" rel="lightbox" title="my caption">image #1</a>` that could trigger the XSS is also advisable.
No specific commands are provided in the available resources for automated detection on the network or system.
Can you explain this vulnerability to me?
CVE-2026-1430 is a Stored Cross-Site Scripting (XSS) vulnerability in the WP Lightbox 2 WordPress plugin versions before 3.0.7. It occurs because the plugin does not properly sanitize and escape some of its settings.
This flaw allows users with high privileges, such as administrators, to inject malicious JavaScript code into the plugin's settings even if the unfiltered_html capability is disabled, for example in multisite WordPress setups.
An attacker can exploit this by entering a malicious payload into a specific field in the plugin settings, which then gets stored and executed when other users interact with affected content, leading to the execution of arbitrary scripts.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with admin-level access to execute arbitrary JavaScript code within the context of the affected WordPress site.
Such an attack could lead to session hijacking, defacement, theft of sensitive information, or the spread of malware to site visitors.
Even though the severity is rated as low (CVSS 3.5), the impact can be significant because it involves high privilege users and persistent script injection.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the WP Lightbox 2 plugin to version 3.0.7 or later, where the issue has been fixed.
Until the update is applied, restrict high privilege users from modifying the 'Additional text below image info' field or adding shortcode blocks that could contain malicious scripts.
Also, review user privileges to ensure that only trusted administrators have access to these settings.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in WP Lightbox 2 allows stored Cross-Site Scripting (XSS) attacks by high privilege users such as administrators. This type of vulnerability can potentially lead to unauthorized script execution, which may result in data exposure or manipulation.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, stored XSS vulnerabilities generally pose risks to data integrity and confidentiality, which are critical aspects of these regulations.
Therefore, if exploited, this vulnerability could negatively impact compliance by enabling attacks that compromise user data or system security controls required under such standards.