cleantalk
Vulnerabilities and Security Researches

Responsive Lightbox & Gallery, CVE-2026-2479

CVE, Research URL

CVE-2026-2479

Home page URL

Security reports for Responsive Lightbox & Gallery

Application

Responsive Lightbox & Gallery

Published on
Feb 25, 2026
Research Description
The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.1. This is due to the use of `strpos()` for substring-based hostname validation instead of strict host comparison in the `ajax_upload_image()` function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services.
Affected versions
max 2.7.2.
Status
vulnerable
Previous vulnerability researches
Video & Photo Gallery for Ultimate Member (CVE-2025-32121) , Apr 06, 2025
Video & Photo Gallery for Ultimate Member (CVE-2024-12162) , Dec 13, 2024
Video & Photo Gallery for Ultimate Member (CVE-2024-54370) , Dec 18, 2024
Video & Photo Gallery for Ultimate Member (CVE-2025-22672) , Feb 20, 2025
New vulnerability
Consensus Embed (CVE-2026-1823) , Apr 15, 2026
Media Library Folders (CVE-2026-2312) , Apr 15, 2026
Nexter Extension (CVE-2026-0726) , Apr 15, 2026
CallbackKiller service widget (CVE-2026-1944) , Apr 15, 2026
Robin image optimizer — save money on image compression (CVE-2026-1319) , Apr 15, 2026