Stored Cross-Site Scripting Vulnerability in LightPress Lightbox Plugin for WordPress
CVE-2026-4379

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Lightpress Lightbox
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-4379?

The LightPress Lightbox plugin for WordPress contains a vulnerability that allows authenticated attackers to perform Stored Cross-Site Scripting. This occurs through manipulation of the group attribute in the [gallery] shortcode. The vulnerability exists due to insufficient escaping of user input, enabling attackers with Contributor-level permissions or higher to inject malicious scripts into web pages. This compromised content would execute whenever an unsuspecting user visits the affected page, potentially leading to unauthorized access and data breaches.

Affected Version(s)

LightPress Lightbox 0 <= 2.3.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-jquery-ligh...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 18, 2026

Credit

Muhammad Yudha - DJ

CVE-2026-4379 Data

JSON