cleantalk
Vulnerabilities and Security Researches

LightGallery WP, CVE-2025-5092

CVE, Research URL

CVE-2025-5092

Home page URL

Security reports for LightGallery WP

Application

LightGallery WP

Published on
Nov 20, 2025
Research Description
Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.0.5.
Status
vulnerable
Previous vulnerability researches
Booking Calendar &#8211; Clockwork SMS (CVE-2017-17780) , Jun 07, 2024
Booking Calendar &#8211; Clockwork SMS (CVE-2017-18555) , Jun 07, 2024
New vulnerability
Trending/Popular Post Slider and Widget (CVE-2026-6443) , Apr 24, 2026
JetWidgets For Elementor (CVE-2025-8195) , Apr 24, 2026
WPComplete (CVE-2025-58974) , Apr 24, 2026
ER Swiffy Insert (CVE-2026-4082) , Apr 24, 2026
Double the Donation &#8211; A matching gift plug-in to help your fundraising efforts (CVE-2025-57930) , Apr 24, 2026