Skip to main content

WordPress EUVD-2026-16122

| CVE-2026-1430 MEDIUM
2026-03-26 WPScan
WordPress XSS
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Patch available
Apr 16, 2026 - 05:29 EUVD
3.0.7
PoC Detected
Mar 26, 2026 - 15:13 vuln.today
Public exploit code
EUVD ID Assigned
Mar 26, 2026 - 06:30 euvd
EUVD-2026-16122
Analysis Generated
Mar 26, 2026 - 06:30 vuln.today
CVE Published
Mar 26, 2026 - 06:00 nvd
MEDIUM 4.8

DescriptionCVE.org

The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

AnalysisAI

WP Lightbox 2 WordPress plugin before version 3.0.7 contains a Stored Cross-Site Scripting (XSS) vulnerability in its settings due to insufficient input sanitization and output escaping. High-privilege users, particularly administrators, can inject malicious JavaScript that persists in the database and executes in the browsers of other users, even in multisite installations where the unfiltered_html capability is restricted. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The real-world risk is substantial despite missing CVSS and EPSS metrics. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with administrator access to a WordPress multisite installation injects malicious JavaScript into the WP Lightbox 2 settings (for example, in the lightbox caption or styling options field). Because the plugin does not properly escape output, the injected script persists in the wp_options table. …
Remediation Update WP Lightbox 2 to version 3.0.7 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8935 CRITICAL POC
9.8 Jun 15

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i
CVE-2026-10795 HIGH POC
8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
CVE-2026-8089 HIGH POC
7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH POC
7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-52704 CRITICAL
10.0 Jun 15

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un

Share

EUVD-2026-16122 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy