The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `group` attribute in the `[gallery]` shortcode in all versions up to, and including, 2.3.4. This is due to the plugin modifying gallery shortcode output to include the `group` attribute value without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The LightPress Lightbox plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in the gallery shortcode's group attribute that allows authenticated contributors to inject malicious scripts. These scripts execute when users access affected pages, potentially compromising website security and user data.
تحتوي إضافة LightPress Lightbox على ثغرة XSS مخزنة في خاصية المجموعة بداخل اختصار المعرض، حيث لا يتم تنظيف القيمة بشكل صحيح قبل عرضها. يمكن للمستخدمين ذوي صلاحيات المساهم وما فوقها حقن أكواد JavaScript ضارة تُنفذ عند زيارة الصفحات المتأثرة.
The LightPress Lightbox plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in the gallery shortcode's group attribute that allows authenticated contributors to inject malicious scripts. These scripts execute when users access affected pages, potentially compromising website security and user data.
Update the LightPress Lightbox plugin to version 2.3.5 or later immediately. If immediate patching is not possible, restrict Contributor-level access to trusted users only and implement Web Application Firewall rules to detect and block XSS payloads in gallery shortcodes.
قم بتحديث إضافة LightPress Lightbox إلى الإصدار 2.3.5 أو أحدث فوراً. إذا لم يكن التحديث الفوري ممكناً، قيّد وصول مستوى المساهم للمستخدمين الموثوقين فقط وطبّق قواعد جدار الحماية لتطبيقات الويب للكشف عن حمولات XSS.