{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4379", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-18T13:23:42.883Z", "datePublished": "2026-04-08T02:25:40.372Z", "dateUpdated": "2026-04-08T16:43:46.418Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:46.418Z"}, "affected": [{"vendor": "firelightwp", "product": "LightPress Lightbox", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `group` attribute in the `[gallery]` shortcode in all versions up to, and including, 2.3.4. This is due to the plugin modifying gallery shortcode output to include the `group` attribute value without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "LightPress Lightbox <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2bed4818-70c5-40b7-8d8d-f43f3baa0f3d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-jquery-lightbox/tags/2.3.4/lightboxes/wp-jquery-lightbox/class-wp-jquery-lightbox.php#L395"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-jquery-lightbox/tags/2.3.4/lightboxes/wp-jquery-lightbox/class-wp-jquery-lightbox.php#L376"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/wp-jquery-lightbox/tags/2.3.4&new_path=/wp-jquery-lightbox/tags/2.3.5"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-03-23T17:48:12.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T13:33:34.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `group` attribute in the `[gallery]` shortcode in all versions up to, and including, 2.3.4. This is due to the plugin modifying gallery shortcode output to include the `group` attribute value without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4379", "lastModified": "2026-04-08T04:17:09.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T04:17:09.967", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-jquery-lightbox/tags/2.3.4/lightboxes/wp-jquery-lightbox/class-wp-jquery-lightbox.php#L376"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-jquery-lightbox/tags/2.3.4/lightboxes/wp-jquery-lightbox/class-wp-jquery-lightbox.php#L395"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=/wp-jquery-lightbox/tags/2.3.4&new_path=/wp-jquery-lightbox/tags/2.3.5"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2bed4818-70c5-40b7-8d8d-f43f3baa0f3d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T04:20:29.848903+00:00", "value": {"mitigation_remediation": ["Upgrade LightPress Lightbox to version 2.3.5 or later.", "If an immediate upgrade is not possible, edit any gallery shortcodes to remove the 'group' attribute or replace it with a safe value.", "Verify that no stored XSS remains by reviewing the gallery outputs and testing for script execution in a controlled environment."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All instances of FirelightWP\u2019s LightPress Lightbox up to version 2.3.4 are affected. A user can exploit the vulnerability by adding or editing a gallery shortcode with a crafted 'group' value on any page or post that accepts shortcodes. The vulnerability stops at the plugin level and only affects sites that use this plugin.", "description_and_impact": "Medium\u2011severity Cross\u2011Site Scripting exists in the LightPress Lightbox WordPress plugin. By placing specially formatted input in the 'group' attribute of the gallery shortcode, an attacker who can create or edit posts\u2014a Contributor or higher\u2014can embed malicious scripts. Those scripts are stored in the gallery\u2019s markup and run in the browsers of any visitor who views the affected page, allowing execution of arbitrary client\u2011side code.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates moderate risk. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. However, because the vulnerability requires only contributor\u2011level access, which is common on many sites, an attacker can easily inject scripts that perform malicious actions such as cookie theft, session hijacking, or defacement once they are embedded in a page viewed by regular users."}}}}, "created": "2026-04-08T19:44:08.511802+00:00", "updated": "2026-04-08T19:44:08.511839+00:00", "vendors": []}