CVE-2026-1430

The WP Lightbox 2 WordPress plugin versions prior to 3.0.7 contain a stored cross-site scripting (XSS) vulnerability. The plugin fails to sanitize and escape some of its settings, allowing high-privilege users like administrators to inject arbitrary web scripts or HTML into the plugin's configuration [1].

This vulnerability is particularly dangerous in multisite environments where the unfiltered_html capability is typically disallowed for administrators. Because the plugin does not properly filter the settings input, an admin can still store malicious JavaScript even when they lack the unfiltered_html permission [1].

An attacker with admin-level access can exploit this by saving a crafted payload in the vulnerable settings field. When other users (including lower-privileged users or other admins) view the affected page, the stored script executes in their browser, potentially leading to session hijacking, defacement, or further privilege escalation within the WordPress context [1].

The vulnerability has been fixed in version 3.0.7 of the plugin. Users are strongly advised to update to this patched version immediately. No workarounds are documented, and the plugin maintainer has released the fix as of the publication date [1].