WP Lightbox 2 is a WordPress plugin designed to add a responsive lightbox overlay effect to images displayed on a website. The plugin automatically enables lightbox functionality for images and galleries and provides several configuration options, including animation settings, overlay opacity, image information display, and additional descriptive text.
During security testing, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the plugin’s settings panel. The issue allows malicious JavaScript to be injected through the “Additional text below image info” configuration field. Because this value is stored and later rendered on pages where the lightbox is used, the injected script may execute in the browsers of site visitors or administrators.
This vulnerability is tracked as CVE-2026-1430.
| CVE | CVE-2026-1430 |
| Plugin Version | WP Lightbox 2 |
| All Time | 1 274 366 |
| Active installations | 30 000+ |
| Publicly Published | March 18, 2026 |
| Last Updated | March 18, 2026 |
| Researcher | Artyom Krugov |
| PoC | Yes |
| Exploit | No |
| Reference | https://www.cve.org/CVERecord?id=CVE-2026-1430 https://wpscan.com/vulnerability/e0536061-140d-47eb-9e8b-9785b52c62f7/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| January 20, 2026 | Plugin testing and vulnerability detection in the Wp Lightbox 2 have been completed |
| January 20, 2026 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 18, 2026 | Registered CVE-2026-1430 |
Discovery of the Vulnerability
The vulnerability was discovered during analysis of plugin configuration fields that accept user input without sufficient sanitization or output escaping.
The “Additional text below image info” field allows administrators to insert custom text that appears under the image information within the lightbox overlay. However, the plugin does not properly validate or escape this input before rendering it in the HTML output.
As a result, malicious HTML or JavaScript can be stored in the database and executed when the lightbox component is displayed.
Understanding of Stored XSS attack’s
Stored XSS in WooCommerce is particularly dangerous because order views are a privileged workflow surface. Administrators open orders constantly, customer service staff view order details, and order emails can be processed by systems that render HTML. A vulnerability that originates from a checkout field is also attractive to attackers because it can be triggered by a normal purchase flow, sometimes without needing an account at all. Real world outcomes of stored XSS in an order context include stealing admin cookies, forcing background actions using the victim’s session, creating new administrator users, changing payment settings, or installing plugins, depending on what defensive controls are present. The critical lesson here is that safe output encoding must be consistent and one directional. Once you escape, you never decode back into HTML. The moment you do, you have effectively re enabled the attacker’s markup. Allowing event handler attributes like onchange inside wp_kses rules is a strong signal that the allow list is being used incorrectly, because event handlers are code execution primitives in the browser.
Exploiting the Stored XSS Vulnerability
To exploit CVE-2026-1430:
POC:
1)Log in to the WordPress administration panel. 2)Navigate to WP Lightbox 2 → Lightbox General Settings. 3)Locate the Additional text below image info field. 4)Insert the following payload: "><img src=x onerror=alert(777)> 5) Save the settings. 6) Create or view a page that loads images with the lightbox functionality enabled.____
When the lightbox is triggered, the injected payload executes in the browser.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2026-1430, administrators should update the WP Lightbox 2 plugin as soon as a patched version becomes available or disable the plugin if no fix has been released. All configuration fields that accept user input, including Additional text below image info, should be properly sanitized before being stored and escaped before being rendered in HTML. Developers should apply WordPress sanitization functions such as sanitize_text_field() when processing input and esc_html() or esc_attr() when outputting data. Implementing strict input validation will help ensure that only expected content types are accepted. Administrators should also limit access to plugin settings to trusted users, regularly audit stored plugin configuration values, and deploy security monitoring solutions such as Web Application Firewalls or security plugins to detect suspicious activity. In addition, applying a strong Content Security Policy (CSP) can reduce the impact of potential XSS attacks by restricting the execution of inline scripts.
By taking proactive measures to address Stored XSS like CVE-2026-1430 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.