CVE-2026-4805
Stored XSS in Woostify Plugin via Lity.js Lightbox (Auth Users
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woostify | woostify | to 2.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts that execute when users access the injected pages. This stored cross-site scripting (XSS) flaw can lead to unauthorized access to user data or session hijacking.
Such security weaknesses can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information. Exploitation of this vulnerability could result in unauthorized disclosure or manipulation of sensitive data, thereby violating these regulatory requirements.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored Cross-Site Scripting (XSS) in the Woostify WordPress plugin versions up to 2.5.0, specifically due to unsafe concatenation of user input into HTML strings in the Lity.js library.
To detect this vulnerability on your system, you can check the installed version of the Woostify plugin to see if it is version 2.5.0 or earlier, which are vulnerable.
You can use the following command to check the Woostify plugin version on your WordPress installation via the command line:
- grep -i woostify wp-content/plugins/woostify/style.css | grep Version
Alternatively, you can query the WordPress database to find the plugin version:
- wp plugin list --status=active | grep woostify
To detect exploitation attempts on your network, monitor HTTP requests for suspicious payloads in the href attribute or other inputs that could contain malicious scripts, especially from authenticated users with Contributor-level access or higher.
You can use web server logs or intrusion detection systems to search for suspicious patterns such as script tags or unusual JavaScript code in URLs or POST data.
Example command to search Apache logs for potential XSS payloads:
- grep -iE '(<script|javascript:|onerror=|onload=)' /var/log/apache2/access.log
Note that these commands help identify the presence of the vulnerable plugin version or potential exploitation attempts but do not guarantee detection of all attacks.
Can you explain this vulnerability to me?
The Woostify plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.5.0. This vulnerability arises because the bundled Lity.js lightbox library does not properly sanitize or escape user input. Specifically, user-controlled input from the href attribute is directly concatenated into a jQuery HTML string without sanitization. As a result, authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which will execute whenever any user accesses those pages.
How can this vulnerability impact me? :
This vulnerability allows attackers with Contributor-level access or above to inject malicious scripts into web pages. These scripts can execute in the context of other users visiting the affected pages, potentially leading to unauthorized actions such as stealing session cookies, defacing content, or performing actions on behalf of other users without their consent.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Woostify plugin to a version that includes the fix for CVE-2026-4805.
The fix involves modifying the Lity.js library to avoid direct HTML string concatenation when creating image and iframe elements, instead using jQuery methods to set attributes safely.
- Replace vulnerable versions of Woostify (up to and including 2.5.0) with a patched version that applies the fix.
- Ensure that user input is properly sanitized and output escaped, especially in the href attribute handling within the Lity.js lightbox library.
- Limit Contributor-level access and above to trusted users to reduce risk of exploitation.