Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
WordPress Multi Functional Flexi Lightbox plugin allows hackers to inject malicious scripts
CVE-2026-3347
Summary
An attacker with Admin access can inject malicious scripts into WordPress pages or posts, which can be executed when users visit. This is a serious issue because it can be used to steal user data, steal Admin credentials, or spread malware. To fix this, update the plugin to version 1.3 or later.
Original title
The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `arv_lb[message]` parameter in all versions up to, and including, 1.2 due to insufficie...
Original description
The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `arv_lb[message]` parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This is due to the `arv_lb_options_val()` sanitize callback returning user input without any sanitization, and the stored `message` value being output in the `genLB()` function without escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page or post with the lightbox enabled.
nvd CVSS3.1
5.5
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://plugins.trac.wordpress.org/browser/multi-functional-flexi-lightbox/tags/...
- https://plugins.trac.wordpress.org/browser/multi-functional-flexi-lightbox/tags/...
- https://plugins.trac.wordpress.org/browser/multi-functional-flexi-lightbox/trunk...
- https://plugins.trac.wordpress.org/browser/multi-functional-flexi-lightbox/trunk...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a4c0b14a-d039-4008-a43...
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026