{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4805", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-25T12:08:24.784Z", "datePublished": "2026-04-28T06:45:46.877Z", "dateUpdated": "2026-04-28T14:12:31.748Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-28T06:45:46.877Z"}, "affected": [{"vendor": "duongancol", "product": "Woostify", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated directly into a jQuery HTML string without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Woostify <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lity.js Library via data-lity Attribute in Custom HTML Block", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/883ad6f7-e701-4708-b5d4-69b72ff38499?source=cve"}, {"url": "https://themes.trac.wordpress.org/browser/woostify/2.4.6/assets/js/lity.js#L142"}, {"url": "https://themes.trac.wordpress.org/browser/woostify/2.4.6/assets/js/lity.js#L611"}, {"url": "https://themes.trac.wordpress.org/browser/woostify/2.4.6/assets/js/lity.js#L635"}, {"url": "https://themes.trac.wordpress.org/browser/woostify/2.4.6/assets/js/lity.js#L163"}, {"url": "https://github.com/woostify/woostify/commit/a4669598aa8c5de344dda6c3d42389a3c2e61adc"}, {"url": "https://themes.trac.wordpress.org/changeset?old_path=%2Fwoostify/2.5.0&new_path=%2Fwoostify/2.5.1"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-03-31T05:44:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-27T18:15:01.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:12:22.670162Z", "id": "CVE-2026-4805", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:12:31.748Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4805", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T14:12:22.670162Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:12:27.839Z"}}], "cna": {"title": "Woostify <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lity.js Library via data-lity Attribute in Custom HTML Block", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "duongancol", "product": "Woostify", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.5.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-31T05:44:23.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-27T18:15:01.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/883ad6f7-e701-4708-b5d4-69b72ff38499?source=cve"}, {"url": "https://themes.trac.wordpress.org/browser/woostify/2.4.6/assets/js/lity.js#L142"}, {"url": "https://themes.trac.wordpress.org/browser/woostify/2.4.6/assets/js/lity.js#L611"}, {"url": "https://themes.trac.wordpress.org/browser/woostify/2.4.6/assets/js/lity.js#L635"}, {"url": "https://themes.trac.wordpress.org/browser/woostify/2.4.6/assets/js/lity.js#L163"}, {"url": "https://github.com/woostify/woostify/commit/a4669598aa8c5de344dda6c3d42389a3c2e61adc"}, {"url": "https://themes.trac.wordpress.org/changeset?old_path=%2Fwoostify/2.5.0&new_path=%2Fwoostify/2.5.1"}], "descriptions": [{"lang": "en", "value": "The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated directly into a jQuery HTML string without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-28T06:45:46.877Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4805", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:12:31.748Z", "dateReserved": "2026-03-25T12:08:24.784Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-28T06:45:46.877Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated directly into a jQuery HTML string without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4805", "lastModified": "2026-04-28T20:26:04.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-28T08:16:01.800", "references": [{"source": "security@wordfence.com", "url": "https://github.com/woostify/woostify/commit/a4669598aa8c5de344dda6c3d42389a3c2e61adc"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/browser/woostify/2.4.6/assets/js/lity.js#L142"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/browser/woostify/2.4.6/assets/js/lity.js#L163"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/browser/woostify/2.4.6/assets/js/lity.js#L611"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/browser/woostify/2.4.6/assets/js/lity.js#L635"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/changeset?old_path=%2Fwoostify/2.5.0&new_path=%2Fwoostify/2.5.1"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/883ad6f7-e701-4708-b5d4-69b72ff38499?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.5.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Woostify", "source": "cna", "vendor": "duongancol"}, "product": "woostify", "vendor": "duongancol"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T12:23:14.850978+00:00", "value": {"mitigation_remediation": ["Upgrade the Woostify plugin to version\u202f2.5.1 or later, which removes the vulnerable code in Lity.js", "Restrict Contributor\u2011level access or re\u2011grant roles to limit the ability to edit custom HTML blocks, thereby reducing the attack surface", "If an immediate upgrade is not possible, disable the Lity.js library or remove custom HTML blocks containing the vulnerable data\u2011lity attribute to block potential injection"], "summary": {"action": "Patch immediately", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Woostify, a WordPress theme/plugin developed by duongancol, is affected in all releases up to and including version 2.5.0. Users deploying these versions on their WordPress sites are at risk.", "description_and_impact": "The vulnerability exists in the bundled Lity.js lightbox library of the Woostify plugin, where user-controlled input from the href attribute is concatenated directly into a jQuery\u2013generated HTML string without proper sanitization or escaping. This flaw qualifies as a stored XSS (CWE\u201179) and permits an authenticated attacker to inject arbitrary JavaScript that will run for any visitor who views an affected page.", "risk_and_exploitability": "The flaw carries a CVSS score of 6.4, indicating a moderate severity. The EPSS score is not available, but the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authenticated access with Contributor-level or higher privileges, the likely attack vector is a compromised contributor account or a privileged user exploiting the custom HTML block. Once injected, the malicious script executes in every user's browser, potentially compromising credentials and data, or hijacking user sessions."}}}}, "created": "2026-04-28T09:16:08.063918+00:00", "updated": "2026-04-28T12:30:31.061427+00:00", "vendors": ["duongancol", "duongancol$PRODUCT$woostify", "wordpress", "wordpress$PRODUCT$wordpress"]}