The WP Lightbox 2 WordPress plugin before version 3.0.7 fails to sanitise and escape certain configuration settings. When an administrator adds malicious code to those settings, the stored script is later rendered on the settings page and executed, producing a stored cross‑site scripting attack. The vulnerability does not allow arbitrary code execution; it only enables the execution of client‑side scripts in the context of visitors who view the modified settings page.

Any WordPress site that has WP Lightbox 2 installed in a version older than 3.0.7 is affected. The issue applies regardless of the core WordPress version but requires that the site contains the plugin and that a user with administrative privileges can modify its settings.

The CVSS score of 4.8 indicates medium severity, and the EPSS score below 1% suggests that exploitation attempts will be uncommon. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated administrator to use the plugin’s settings interface to inject a payload; it typically does not rely on network‑level attacks. Once the malicious script is stored, it can affect any user who navigates to the settings page, leading to potential data theft or session hijacking for those visitors. The known attack vector is therefore an authenticated administrator with the ability to edit the plugin’s settings, potentially inferred from the description.