{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1430", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-01-26T09:00:32.008Z", "datePublished": "2026-03-26T06:00:09.269Z", "dateUpdated": "2026-03-26T13:34:15.940Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-03-26T06:00:09.269Z"}, "title": "WP Lightbox 2 < 3.0.7 - Admin+ Stored XSS", "problemTypes": [{"descriptions": [{"description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "WP Lightbox 2", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "3.0.7"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."}], "references": [{"url": "https://wpscan.com/vulnerability/e0536061-140d-47eb-9e8b-9785b52c62f7/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Krugov Artyom", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:33:54.097455Z", "id": "CVE-2026-1430", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:34:15.940Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1430", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:33:54.097455Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:34:12.683Z"}}], "cna": {"title": "WP Lightbox 2 < 3.0.7 - Admin+ Stored XSS", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Krugov Artyom"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "WP Lightbox 2", "versions": [{"status": "affected", "version": "0", "lessThan": "3.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/e0536061-140d-47eb-9e8b-9785b52c62f7/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-79 Cross-Site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-03-26T06:00:09.269Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1430", "state": "PUBLISHED", "dateUpdated": "2026-03-26T13:34:15.940Z", "dateReserved": "2026-01-26T09:00:32.008Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-03-26T06:00:09.269Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."}, {"lang": "es", "value": "El plugin de WordPress WP Lightbox 2 anterior a 3.0.7 no sanitiza ni escapa algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con altos privilegios, como el administrador, realizar ataques de cross-site scripting almacenado incluso cuando la capacidad unfiltered_html est\u00e1 deshabilitada (por ejemplo, en una configuraci\u00f3n multisitio)."}], "id": "CVE-2026-1430", "lastModified": "2026-04-15T15:05:47.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T07:16:19.790", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/e0536061-140d-47eb-9e8b-9785b52c62f7/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "WP Lightbox 2", "source": "cna", "vendor": "Unknown"}, "product": "wp_lightbox_2", "vendor": "syedbalkhi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-27T23:20:19.086231+00:00", "value": {"mitigation_remediation": ["Update WP Lightbox 2 to version 3.0.7 or newer", "If the patch is unavailable, remove the plugin or restrict administrators from editing its settings", "Audit existing plugin configuration for unexpected scripts and monitor for changes"], "summary": {"action": "Patch", "impact": "Stored cross\u2011site scripting by high\u2011privileged users"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has WP Lightbox 2 installed in a version older than 3.0.7 is affected. The issue applies regardless of the core WordPress version but requires that the site contains the plugin and that a user with administrative privileges can modify its settings.", "description_and_impact": "The WP Lightbox 2 WordPress plugin before version 3.0.7 fails to sanitise and escape certain configuration settings. When an administrator adds malicious code to those settings, the stored script is later rendered on the settings page and executed, producing a stored cross\u2011site scripting attack. The vulnerability does not allow arbitrary code execution; it only enables the execution of client\u2011side scripts in the context of visitors who view the modified settings page.", "risk_and_exploitability": "The CVSS score of 4.8 indicates medium severity, and the EPSS score below 1% suggests that exploitation attempts will be uncommon. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated administrator to use the plugin\u2019s settings interface to inject a payload; it typically does not rely on network\u2011level attacks. Once the malicious script is stored, it can affect any user who navigates to the settings page, leading to potential data theft or session hijacking for those visitors. The known attack vector is therefore an authenticated administrator with the ability to edit the plugin\u2019s settings, potentially inferred from the description."}}}}, "created": "2026-03-26T11:30:21.851189+00:00", "updated": "2026-03-29T20:27:59.326529+00:00", "vendors": ["syedbalkhi", "syedbalkhi$PRODUCT$wp_lightbox_2", "wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-79"]}