Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
LightPress Lightbox plugin for WordPress allows attackers to inject scripts
CVE-2026-4379
Summary
The LightPress Lightbox plugin for WordPress contains a security flaw that allows attackers with contributor access or above to inject malicious scripts into web pages. This can happen when a user accesses a page with an affected gallery. To protect your site, update the plugin to the latest version or remove it if you're not using it.
Original title
The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `group` attribute in the `[gallery]` shortcode in all versions up to, and including, 2.3.4. This is...
Original description
The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `group` attribute in the `[gallery]` shortcode in all versions up to, and including, 2.3.4. This is due to the plugin modifying gallery shortcode output to include the `group` attribute value without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
nvd CVSS3.1
6.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://plugins.trac.wordpress.org/browser/wp-jquery-lightbox/tags/2.3.4/lightbo...
- https://plugins.trac.wordpress.org/browser/wp-jquery-lightbox/tags/2.3.4/lightbo...
- https://plugins.trac.wordpress.org/changeset?old_path=/wp-jquery-lightbox/tags/2...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2bed4818-70c5-40b7-8d8...
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026