The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Unknown | WP Lightbox 2 | unaffected |
|
No data.
No data.
No data.
Subscriptions
No data.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 26 Mar 2026 06:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |
| Title | WP Lightbox 2 < 3.0.7 - Admin+ Stored XSS | |
| References |
|
MITRE
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-03-26T06:00:09.269Z
Reserved: 2026-01-26T09:00:32.008Z
Link: CVE-2026-1430
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-03-26T07:16:19.790
Modified: 2026-03-26T07:16:19.790
Link: CVE-2026-1430
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.