cleantalk
Vulnerabilities and Security Researches

LightGallery WP, CVE-2025-5092

CVE, Research URL

CVE-2025-5092

Home page URL

Security reports for LightGallery WP

Application

LightGallery WP

Published on
Nov 20, 2025
Research Description
Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.0.5.
Status
vulnerable
Previous vulnerability researches
WP Featured Content and Slider (deb685ef98e2416e44ec11d0a7e66dbb81ca65cf) , Jun 07, 2024
WP Featured Content and Slider (CVE-2026-6443) , Apr 23, 2026
New vulnerability
Breeze &#8211; WordPress Cache Plugin (CVE-2026-3844) , Apr 24, 2026
AI Engine (CVE-2025-8268) , Apr 24, 2026
Video gallery and Player (CVE-2026-6443) , Apr 24, 2026
Master Slider &#8211; Responsive Touch Slider (CVE-2025-58025) , Apr 24, 2026
Trending/Popular Post Slider and Widget (CVE-2026-6443) , Apr 24, 2026