Description
Unauthenticated Cross Site Scripting (XSS) in Responsive Lightbox <= 2.7.6 versions.
Published: 2026-06-26
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Cross‑Site Scripting flaw, identified as CWE‑79, that exists in the dFactory Responsive Lightbox WordPress plugin versions 2.7.6 and earlier. It permits any visitor to inject arbitrary JavaScript that is rendered when the lightbox is opened, allowing cookie theft, session hijacking, defacement or other malicious actions in the context of the site visitor. The flaw is caused by insufficient output encoding of user‑supplied data in the plugin’s lightbox rendering logic.

Affected Systems

The dFactory Responsive Lightbox plugin for WordPress, versions 2.7.6 and previous releases, is affected. Upgrading to version 2.7.7 or newer removes the flaw; no other WordPress components or plugins are listed as impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity risk, while the EPSS score is not available, so the exploitation probability cannot be quantified. The vulnerability is not catalogued in CISA’s KEV, suggesting no documented exploitation. However, because the attack is unauthenticated, any site visitor can trigger it, meaning the risk is significant for sites still running older plugin versions.

Generated by OpenCVE AI on June 26, 2026 at 17:17 UTC.

Remediation

Vendor Solution

Update the WordPress Responsive Lightbox Plugin to the latest available version (at least 2.7.7).

OpenCVE Recommended Actions

  • Upgrade the WordPress Responsive Lightbox plugin to version 2.7.7 or later.
  • If an upgrade cannot be performed instantly, disable or uninstall the plugin to eliminate the vulnerable code path.
  • Implement a Web Application Firewall rule to block or sanitize script payloads in the plugin’s query parameters.

Generated by OpenCVE AI on June 26, 2026 at 17:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Dfactory
Dfactory responsive Lightbox
Wordpress
Wordpress wordpress
Vendors & Products Dfactory
Dfactory responsive Lightbox
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Responsive Lightbox <= 2.7.6 versions.
Title WordPress Responsive Lightbox plugin <= 2.7.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Dfactory Responsive Lightbox
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T14:52:40.838Z

Reserved: 2026-06-18T14:37:40.347Z

Link: CVE-2026-56041

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')