Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arisoft ARI Fancy Lightbox ari-fancy-lightbox allows Stored XSS.This issue affects ARI Fancy Lightbox: from n/a through <= 1.4.0.
Published: 2025-09-05
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Ari Fancy Lightbox plugin for WordPress does not properly neutralize user‑supplied input when generating web pages, allowing attackers to store malicious scripts that will execute in the browser of any user who views a page rendered by the plugin. This stored cross‑site scripting (XSS) flaw can lead to session hijacking, defacement, or the delivery of additional malware, compromising confidentiality, integrity and availability of the affected site.

Affected Systems

The vulnerability affects the arisoft ARI Fancy Lightbox plugin, version 1.4.0 and earlier. WordPress sites that have installed and enabled this plugin before the release of a fixed version are susceptible.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderately high severity, while the EPSS score of less than 1 % suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalogue. The likely attack vector is an authenticated or unauthenticated user capable of inserting malicious data into the plugin’s storage fields, which is then rendered in a web page viewed by other users.

Generated by OpenCVE AI on April 30, 2026 at 02:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ARI Fancy Lightbox plugin to a version newer than 1.4.0, as the vendor has released a fix.
  • If an upgrade is not possible, disable the plugin or replace it with a trusted alternative until a patch can be applied.
  • Implement a Content Security Policy that restricts script execution to trusted domains to mitigate the risk of XSS until remediation is complete.

Generated by OpenCVE AI on April 30, 2026 at 02:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26993 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arisoft ARI Fancy Lightbox allows Stored XSS. This issue affects ARI Fancy Lightbox: from n/a through 1.4.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arisoft ARI Fancy Lightbox allows Stored XSS. This issue affects ARI Fancy Lightbox: from n/a through 1.4.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arisoft ARI Fancy Lightbox ari-fancy-lightbox allows Stored XSS.This issue affects ARI Fancy Lightbox: from n/a through <= 1.4.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Sun, 07 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ari-soft
Ari-soft ari Fancy Lightbox
Wordpress
Wordpress wordpress
Vendors & Products Ari-soft
Ari-soft ari Fancy Lightbox
Wordpress
Wordpress wordpress

Fri, 05 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Sep 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arisoft ARI Fancy Lightbox allows Stored XSS. This issue affects ARI Fancy Lightbox: from n/a through 1.4.0.
Title WordPress ARI Fancy Lightbox Plugin <= 1.4.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Ari-soft Ari Fancy Lightbox
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:15:22.910Z

Reserved: 2025-09-05T10:48:52.284Z

Link: CVE-2025-58784

cve-icon Vulnrichment

Updated: 2025-09-05T16:00:36.431Z

cve-icon NVD

Status : Deferred

Published: 2025-09-05T14:15:46.110

Modified: 2026-04-23T15:33:37.210

Link: CVE-2025-58784

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T02:45:16Z

Weaknesses