WordPress Shortcodes Ultimate plugin <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'sulightbox' Shortcode vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Shortcodes Ultimate versions = 7.4.7...

CVE-2026-35055

XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting XSS related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox...

WordPress Multi Functional Flexi Lightbox plugin <= 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via 'message' Parameter vulnerability

Authenticated Admin+ Stored Cross-Site Scripting via 'message' Parameter vulnerability discovered by san6051 - PWC in WordPress Plugin Multi Functional Flexi Lightbox versions = 1.2...

CVE-2026-3347 Multi Functional Flexi Lightbox <= 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via 'message' Parameter

The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the arvlbmessage parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This is due to the arvlboptionsval sanitize callback returning...

EUVD-2021-11579

Malware in sbrugna...

EUVD-2025-24051

Malicious code in bioql PyPI...

EUVD-2025-14273

Malicious code in bioql PyPI...

CVE-2025-7726 The7 <= 12.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via title and data-dt-img-description Attributes

The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description'...

CVE-2025-7726 The7 <= 12.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via title and data-dt-img-description Attributes

The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description'...

CVE-2025-5093

The Responsive Lightbox & Gallery WordPress plugin before 2.5.2 use the Swipebox library which does not validate and escape title attributes before outputting them back in a page/post where used, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2025-5035

CVE-2025-5035 concerns the WordPress plugin Firelight Lightbox. Public records show it could allow stored XSS by outputting unescaped title attributes, affecting users with as little as Contributor privileges. Public data confirms the issue existed in Firelight Lightbox versions prior to 2.3.16 a...

CVE-2025-32139

CVE-2025-32139 refers to the WordPress plugin FooBox Image Lightbox (Lightbox) with an authenticated stored XSS vulnerability (Improper Neutralization of Input During Web Page Generation) affecting FooBox Image Lightbox versions from n/a up to 2.7.33. The Red Hat/Wordfence entries corroborate: vu...

CVE-2025-32176

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Stored XSS.This issue affects SimpLy Gallery: from n/a through = 3.2.5...

CVE-2025-32176 WordPress Gallery Blocks with Lightbox plugin <= 3.2.5 - Stored Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in GalleryCreator Gallery Blocks with Lightbox allows Stored XSS.This issue affects Gallery Blocks with Lightbox: from n/a through 3.2.5...

CVE-2025-23704 WordPress Your Lightbox plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Reuven Karasik Your Lightbox your-lightbox allows Reflected XSS.This issue affects Your Lightbox: from n/a through = 1.0...

CVE-2024-52794 Magnific lightbox susceptible to Cross-site Scripting in Discourse

Discourse is an open source platform for community discussion. Users clicking on the lightbox thumbnails could be affected. This problem is patched in the latest version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability...

CVE-2024-52794 Magnific lightbox susceptible to Cross-site Scripting in Discourse

Discourse is an open source platform for community discussion. Users clicking on the lightbox thumbnails could be affected. This problem is patched in the latest version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability...

CVE-2023-5531

The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the delete functionality. This makes it possible for unauthenticated attackers to delete image...

PHP Kobo Photo Gallery CMS for PC/smartphone and feature phone Cross Site Scripting Vulnerability

PHP Kobo Photo Gallery CMS for PC, smartphone and feature phone is a photo gallery content management system CMS for PC, smartphone and feature phone from PHP Kobo Japan. A cross-site scripting vulnerability exists in the jquery.lightbox-0.5.min.js file in PHP Kobo Photo Gallery CMS for PC,...