Stored Cross‑Site Scripting (XSS) is present in Firelight Lightbox, a WordPress plugin, that allows malicious script code to be persistently stored in the database. An attacker who can inject content that the plugin subsequently serves can execute arbitrary JavaScript in the browsers of any user who views the affected page. This may lead to defacement, cookie theft, credential hijacking, or the execution of further attacks. The weakness is a classic input‑validation error (CWE‑79).

Firelight Lightbox (also known as easy‑fancybox), distributed as a WordPress plugin, is affected in all releases from the earliest available version up to and including 2.3.16. Any WordPress site that has not yet upgraded past 2.3.16 is potentially vulnerable.

The CVSS score of 6.5 categorises the vulnerability as moderate severity. The EPSS score of less than 1 % indicates a very low probability of exploitation at present, and it is not present in the CISA KEV catalog. The stored nature of the flaw means an attacker who can inject content—such as through an administrative post editor or content upload fields controlled by the plugin—can persist malicious code that will be served to all site visitors. While exploitation would require the attacker to have some level of write access, once achieved the impact is broad and can compromise end‑user sessions.