Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhozyLab Gallery Lightbox gallery-lightbox-slider allows Stored XSS.This issue affects Gallery Lightbox: from n/a through <= 1.0.0.41.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored Cross‑Site Scripting flaw caused by the plugin’s failure to properly neutralize user input. Attackers can inject malicious scripts that are stored and later rendered within the web page, allowing them to run arbitrary code in the context of any visitor who loads the affected page. The weakness is categorized as CWE‑79, reflecting the lack of proper input validation and output encoding.

Affected Systems

All installations of GhozyLab Gallery Lightbox that use version 1.0.0.41 or earlier are affected, including every earlier release. The issue is present in the plugin’s gallery‑lightbox‑slider component and can be triggered through any user interface that accepts content for display via the plugin.

Risk and Exploitability

The CVSS score of 6.5 classifies the flaw as medium‑severity; the EPSS score of less than 1% indicates a very low probability of exploitation at the moment. The vulnerability is not listed in the CISA KEV catalog. Because it is a stored XSS flaw, an attacker would need to inject malicious content through an interface that accepts input for the plugin—typically a logged‑in administrative user or a content creator with access to the gallery settings. Once injected, the attack can affect all visitors who load pages rendered by the gallery lightbox.

Generated by OpenCVE AI on April 30, 2026 at 00:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GhozyLab Gallery Lightbox to a version that removes the stored XSS flaw.
  • If no update is available, disable the plugin until a fix is released to prevent new content from being injected.
  • Implement a Content Security Policy that blocks inline script execution and the use of unsafe-eval in your site.
  • Ensure that any data submitted through the plugin is properly escaped or sanitized before it is output to the page.

Generated by OpenCVE AI on April 30, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30659 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhozyLab Gallery Lightbox allows Stored XSS. This issue affects Gallery Lightbox: from n/a through 1.0.0.41.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhozyLab Gallery Lightbox allows Stored XSS. This issue affects Gallery Lightbox: from n/a through 1.0.0.41. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhozyLab Gallery Lightbox gallery-lightbox-slider allows Stored XSS.This issue affects Gallery Lightbox: from n/a through <= 1.0.0.41.
Title WordPress Gallery Lightbox Plugin <= 1.0.0.41 - Cross Site Scripting (XSS) Vulnerability WordPress Gallery Lightbox plugin <= 1.0.0.41 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Ghozylab
Ghozylab gallery Lightbox
Wordpress
Wordpress wordpress
Vendors & Products Ghozylab
Ghozylab gallery Lightbox
Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhozyLab Gallery Lightbox allows Stored XSS. This issue affects Gallery Lightbox: from n/a through 1.0.0.41.
Title WordPress Gallery Lightbox Plugin <= 1.0.0.41 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Ghozylab Gallery Lightbox
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:39.697Z

Reserved: 2025-08-22T11:37:02.929Z

Link: CVE-2025-57966

cve-icon Vulnrichment

Updated: 2025-09-23T14:23:33.631Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:55.850

Modified: 2026-04-23T15:33:08.770

Link: CVE-2025-57966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:00:13Z

Weaknesses