Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Oğulcan Özügenç Gallery and Lightbox gallery-and-lightbox allows Stored XSS.This issue affects Gallery and Lightbox: from n/a through <= 1.0.14.
Published: 2025-01-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a classic CWE‑79 Stored Cross‑Site Scripting flaw. Malicious input can be injected into the plugin’s output and later rendered in the browser of any visitor who loads affected content. An attacker can use this to deface the site, steal session cookies, hijack user accounts, or perform additional malicious actions from within the victim’s session. The flaw stems from improper neutralization of user‑supplied data during web page generation.

Affected Systems

WordPress sites that have installed the Gallery and Lightbox plugin from Oğulcan Özügenç, with any version up to and including 1.0.14. No further version restrictions are listed in the advisory, so all releases in that range are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 marks it as moderate severity, while the EPSS score of less than 1% indicates a low probability of exploitation in current threat landscapes. The vulnerability is not present in the CISA KEV catalog. The attack vector is inferred to be through the plugin’s web interface where user input is stored and later displayed—typical of stored XSS. A remote attacker, with access to the WordPress administration interface or any public form that feeds into the plugin, can supply malicious payloads that will be served to all site visitors.

Generated by OpenCVE AI on May 2, 2026 at 06:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Perform a site‑wide file integrity scan to ensure no unauthorized scripts have been added, and review the plugin’s input handling for any other vulnerable endpoints.
  • Update Gallery and Lightbox to the latest version that fixes the XSS issue (i.e., a version newer than 1.0.14) or remove the plugin if an update is not available.
  • Restrict plugin usage to trusted administrators only, disable public input fields or enforce strong input validation until the vulnerability is patched.

Generated by OpenCVE AI on May 2, 2026 at 06:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3001 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Oğulcan Özügenç Gallery and Lightbox allows Stored XSS.This issue affects Gallery and Lightbox: from n/a through 1.0.14.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Oğulcan Özügenç Gallery and Lightbox allows Stored XSS.This issue affects Gallery and Lightbox: from n/a through 1.0.14. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Oğulcan Özügenç Gallery and Lightbox gallery-and-lightbox allows Stored XSS.This issue affects Gallery and Lightbox: from n/a through <= 1.0.14.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 15 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Oğulcan Özügenç Gallery and Lightbox allows Stored XSS.This issue affects Gallery and Lightbox: from n/a through 1.0.14.
Title WordPress Gallery and Lightbox plugin <= 1.0.14 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:07.627Z

Reserved: 2025-01-07T21:05:18.435Z

Link: CVE-2025-22797

cve-icon Vulnrichment

Updated: 2025-01-15T19:29:42.602Z

cve-icon NVD

Status : Deferred

Published: 2025-01-15T16:15:42.200

Modified: 2026-06-17T08:50:09.023

Link: CVE-2025-22797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:45:36Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')