The Photonic Gallery & Lightbox plugin for WordPress contains a stored XSS flaw that allows an attacker with contributor‑level access to inject arbitrary script payloads through the caption attribute of the lightbox functionality. When a victim views an affected page, the injected code executes in the victim’s browser, potentially allowing credential theft, session hijacking, defacement or the execution of malicious scripts. The weakness is classified as CWE‑79, indicating improper input handling and reflective output rendering.

Users running the Photonic Gallery & Lightbox plugin for Flickr, SmugMug & Others, version 3.21 or earlier, on any WordPress site. The plugin is identified by the vendor product name sayontan:Photonic Gallery & Lightbox for Flickr, SmugMug & Others.

The CVSS score of 6.4 denotes a moderate risk, while the EPSS score of < 1 % indicates a low likelihood of exploitation in the wild. Because the vulnerability requires authenticated access, the attack surface is limited to sites with contributor‑level users. The flaw is not currently listed in the CISA KEV catalog, but due to the prevalence of WordPress installations and the ease of exploitation once a contributor account has been compromised, administrators should treat it with priority. The exploit path involves an attacker logging in, editing a media item’s caption, and embedding malicious JavaScript that will run for any user who views the image or lightbox content. No public exploit code is known at this time, but given the low exploitation probability, immediate patching is recommended to eliminate the risk.