Description
The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated directly into a jQuery HTML string without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-28
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch immediately
AI Analysis

Impact

The vulnerability exists in the bundled Lity.js lightbox library of the Woostify plugin, where user-controlled input from the href attribute is concatenated directly into a jQuery–generated HTML string without proper sanitization or escaping. This flaw qualifies as a stored XSS (CWE‑79) and permits an authenticated attacker to inject arbitrary JavaScript that will run for any visitor who views an affected page.

Affected Systems

Woostify, a WordPress theme/plugin developed by duongancol, is affected in all releases up to and including version 2.5.0. Users deploying these versions on their WordPress sites are at risk.

Risk and Exploitability

The flaw carries a CVSS score of 6.4, indicating a moderate severity. The EPSS score is not available, but the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authenticated access with Contributor-level or higher privileges, the likely attack vector is a compromised contributor account or a privileged user exploiting the custom HTML block. Once injected, the malicious script executes in every user's browser, potentially compromising credentials and data, or hijacking user sessions.

Generated by OpenCVE AI on April 28, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Woostify plugin to version 2.5.1 or later, which removes the vulnerable code in Lity.js
  • Restrict Contributor‑level access or re‑grant roles to limit the ability to edit custom HTML blocks, thereby reducing the attack surface
  • If an immediate upgrade is not possible, disable the Lity.js library or remove custom HTML blocks containing the vulnerable data‑lity attribute to block potential injection

Generated by OpenCVE AI on April 28, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Duongancol
Duongancol woostify
Wordpress
Wordpress wordpress
Vendors & Products Duongancol
Duongancol woostify
Wordpress
Wordpress wordpress

Tue, 28 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated directly into a jQuery HTML string without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Woostify <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lity.js Library via data-lity Attribute in Custom HTML Block
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Duongancol Woostify
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-28T06:45:46.877Z

Reserved: 2026-03-25T12:08:24.784Z

Link: CVE-2026-4805

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T08:16:01.800

Modified: 2026-04-28T08:16:01.800

Link: CVE-2026-4805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:30:31Z

Weaknesses