Executive Summary

The Woostify plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.5.0. This vulnerability arises because the bundled Lity.js lightbox library does not properly sanitize or escape user input. Specifically, user-controlled input from the href attribute is directly concatenated into a jQuery HTML string without sanitization. As a result, authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which will execute whenever any user accesses those pages.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts that execute when users access the injected pages. This stored cross-site scripting (XSS) flaw can lead to unauthorized access to user data or session hijacking.

Such security weaknesses can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information. Exploitation of this vulnerability could result in unauthorized disclosure or manipulation of sensitive data, thereby violating these regulatory requirements.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves stored Cross-Site Scripting (XSS) in the Woostify WordPress plugin versions up to 2.5.0, specifically due to unsafe concatenation of user input into HTML strings in the Lity.js library.

To detect this vulnerability on your system, you can check the installed version of the Woostify plugin to see if it is version 2.5.0 or earlier, which are vulnerable.

You can use the following command to check the Woostify plugin version on your WordPress installation via the command line:

• grep -i woostify wp-content/plugins/woostify/style.css | grep Version

Alternatively, you can query the WordPress database to find the plugin version:

• wp plugin list --status=active | grep woostify

To detect exploitation attempts on your network, monitor HTTP requests for suspicious payloads in the href attribute or other inputs that could contain malicious scripts, especially from authenticated users with Contributor-level access or higher.

You can use web server logs or intrusion detection systems to search for suspicious patterns such as script tags or unusual JavaScript code in URLs or POST data.

Example command to search Apache logs for potential XSS payloads:

• grep -iE '(<script|javascript:|onerror=|onload=)' /var/log/apache2/access.log

Note that these commands help identify the presence of the vulnerable plugin version or potential exploitation attempts but do not guarantee detection of all attacks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with Contributor-level access or above to inject malicious scripts into web pages. These scripts can execute in the context of other users visiting the affected pages, potentially leading to unauthorized actions such as stealing session cookies, defacing content, or performing actions on behalf of other users without their consent.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, update the Woostify plugin to a version that includes the fix for CVE-2026-4805.

The fix involves modifying the Lity.js library to avoid direct HTML string concatenation when creating image and iframe elements, instead using jQuery methods to set attributes safely.

• Replace vulnerable versions of Woostify (up to and including 2.5.0) with a patched version that applies the fix.
• Ensure that user input is properly sanitized and output escaped, especially in the href attribute handling within the Lity.js lightbox library.
• Limit Contributor-level access and above to trusted users to reduce risk of exploitation.

Useful 0 Not Useful 0