cleantalk
Vulnerabilities and Security Researches

Easy FancyBox – WordPress Lightbox Plugin, CVE-2025-5035

CVE, Research URL

CVE-2025-5035

Home page URL

Security reports for Easy FancyBox – WordPress Lightbox Plugin

Application

Easy FancyBox – WordPress Lightbox Plugin

Published on
Jun 27, 2025
Research Description
The Firelight Lightbox WordPress plugin before 2.3.16 does not sanitise and escape title attributes before outputting them in the page, which could allow users with a role as low as contributors to perform stored Cross-Site Scripting attacks.
Affected versions
max 2.3.16.
Status
vulnerable
Previous vulnerability researches
WP Newsletter Subscription (CVE-2024-44012) , Sep 28, 2024
New vulnerability
Easy FancyBox – WordPress Lightbox Plugin (CVE-2025-5035) , Apr 26, 2026
Elementor Header & Footer Builder (CVE-2025-9703) , Apr 26, 2026
Event Tickets Manager for WooCommerce – Events and Bookings Calendar, Registration, Event Check-in Using Emails, Edit Your T (CVE-2026-34898) , Apr 26, 2026
Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking (CVE-2024-8860) , Apr 26, 2026
Responsive Lightbox & Gallery (CVE-2025-9710) , Apr 26, 2026