Does Firelight Lightbox have any unpatched vulnerabilities?

No. All known vulnerabilities in Firelight Lightbox have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Firelight Lightbox compatible with WordPress 6.9.4?

According to WordPress.org data, Firelight Lightbox 2.3.19 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Firelight Lightbox compatible with PHP 7.0+?

Firelight Lightbox requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Firelight Lightbox updated?

Firelight Lightbox was last updated on Mar 13, 2026. Frequent updates are generally a positive security signal.

What is Firelight Lightbox's security score?

Firelight Lightbox has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Firelight Lightbox Security & Risk Analysis

wordpress.org/plugins/easy-fancybox

Formerly Easy Fancybox. The most popular WordPress lightbox plugin. Simple, fast, and responsive. Opens images, videos, PDFs, and custom popups.

200K active installs v2.3.19 PHP 7.0+ WP 5.0+ Updated Mar 13, 2026

galleryimagelightboxmodalphoto

A · Safe

CVEs total5

Unpatched0

Last CVEJun 19, 2025

Plugin page Download

Safety Verdict

Is Firelight Lightbox Safe to Use in 2026?

Generally Safe

Score 96/100

Firelight Lightbox has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jun 19, 2025Updated 21d ago

Risk Assessment

The Easy Fancybox plugin, version 2.3.19, exhibits a mixed security posture. Static analysis reveals a small attack surface with no immediate unprotected entry points, and the presence of nonce and capability checks on its AJAX handlers is a positive sign. However, a significant concern arises from its SQL query handling, where 100% of the single identified query is not using prepared statements. This lack of proper sanitization for SQL interactions, even with a single query, introduces a risk of SQL injection vulnerabilities if the input is not rigorously validated elsewhere.

The plugin's vulnerability history is particularly concerning, with a total of 5 known CVEs, all classified as medium severity and related to Cross-Site Scripting (XSS). The fact that these vulnerabilities are all marked as 'currently unpatched' is a critical red flag. While the last vulnerability was recorded in 2025, indicating it might be a future date, the pattern of repeated XSS vulnerabilities suggests a recurring issue with input sanitization and output escaping, despite static analysis showing a relatively high percentage (73%) of properly escaped outputs. The complete absence of taint analysis results could either mean the tool found nothing or was not effectively applied to uncover potential issues, making the vulnerability history the primary indicator of deeper, persistent problems.

In conclusion, while Easy Fancybox has a small attack surface and implements some basic security checks, the unpatched XSS vulnerabilities and the use of raw SQL queries without prepared statements present considerable risks. The plugin's past indicates a pattern of insecurity that users should be aware of. The high number of past vulnerabilities, even if medium severity, should be a strong deterrent until they are definitively addressed.

Key Concerns

Unpatched CVEs present
Raw SQL query without prepared statements
High percentage of past vulnerabilities (XSS)

Vulnerabilities

Firelight Lightbox Security Vulnerabilities

CVEs by Year

1 CVE in 2019

2019

1 CVE in 2024

2024

3 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

5 total CVEs

CVE-2025-52707medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Firelight Lightbox <= 2.3.16 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 19, 2025 Patched in 2.3.17 (7d)

CVE-2025-5035medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Firelight Lightbox <= 2.3.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 6, 2025 Patched in 2.3.16 (34d)

CVE-2025-3597medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Firelight Lightbox <= 2.3.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 21, 2025 Patched in 2.3.15 (24d)

CVE-2024-50460medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Firelight Lightbox <= 2.3.3 - Authenticated (Author+) Stored Cross-Site Scripting

Oct 24, 2024 Patched in 2.3.4 (7d)

CVE-2019-16524medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Fancybox <= 1.8.17 - Authenticated Stored Cross-Site Scripting

Sep 25, 2019 Patched in 1.8.18 (1581d)

Code Analysis

Analyzed Mar 16, 2026

Firelight Lightbox Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

33 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared1 total queries

Output Escaping

73% escaped45 total outputs

Attack Surface

Firelight Lightbox Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

authwp_ajax_efb-review-actioninc\class-easyfancybox-admin.php:73

authwp_ajax_efb-optin-actioninc\class-easyfancybox-admin.php:76

WordPress Hooks 19

actioniniteasy-fancybox.php:68

actionadmin_initinc\class-easyfancybox-admin.php:53

actionadmin_noticesinc\class-easyfancybox-admin.php:54

actionadmin_enqueue_scriptsinc\class-easyfancybox-admin.php:57

actionenqueue_block_assetsinc\class-easyfancybox-admin.php:58

actionadmin_initinc\class-easyfancybox-admin.php:64

actionadmin_initinc\class-easyfancybox-admin.php:65

actionadmin_initinc\class-easyfancybox-admin.php:66

actionadmin_initinc\class-easyfancybox-admin.php:67

actionadmin_menuinc\class-easyfancybox-admin.php:68

actionwp_loadedinc\class-easyfancybox-admin.php:71

actionadmin_noticesinc\class-easyfancybox-admin.php:72

actioninitinc\class-easyfancybox.php:199

actionwp_enqueue_scriptsinc\class-easyfancybox.php:207

filterwp_theme_json_data_userinc\class-easyfancybox.php:208

actionwp_headinc\class-easyfancybox.php:306

actionwp_headinc\class-easyfancybox.php:321

actionwp_headinc\class-easyfancybox.php:330

actionwp_enqueue_scriptsinc\class-easyfancybox.php:577

Maintenance & Trust

Firelight Lightbox Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 13, 2026

PHP min version7.0

Downloads7.6M

Community Trust

Rating96/100

Number of ratings330

Active installs200K

Alternatives

Firelight Lightbox Alternatives

Lightbox & Modal Popup WordPress Plugin – FooBox

foobox-image-lightbox

A responsive image lightbox for WordPress galleries, WordPress attachments & FooGallery

100K 5 CVEs

Gallery by FooGallery

foogallery

Photo Gallery, Image Gallery by FooGallery — fast, responsive, SEO-optimized, and packed with beautiful layouts.

100K 20 CVEs

Simple Lightbox

simple-lightbox

The highly customizable lightbox for WordPress

100K 1 CVE

LightPress Lightbox

wp-jquery-lightbox

Simple, lightweight lightbox plugin for WordPress. Formerly the WP JQuery Lightbox.

40K 2 CVEs

WP Lightbox 2

wp-lightbox-2

WP Lightbox 2 adds stunning lightbox effects to images and galleries on your WordPress site.

30K 3 CVEs

Developer Profile

Firelight Lightbox Developer Profile

FirelightWP

2 plugins · 240K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

240 days

View full developer profile

Detection Fingerprints

How We Detect Firelight Lightbox

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/easy-fancybox/css/fancybox.css/wp-content/plugins/easy-fancybox/js/fancybox.js/wp-content/plugins/easy-fancybox/js/jquery.mousewheel-3.0.6.pack.js/wp-content/plugins/easy-fancybox/js/jquery.easing-1.3.pack.js/wp-content/plugins/easy-fancybox/js/jquery.fancybox-1.3.4.pack.js/wp-content/plugins/easy-fancybox/js/easy-fancybox.js/wp-content/plugins/easy-fancybox/css/jquery.fancybox-1.3.4.css/wp-content/plugins/easy-fancybox/js/jquery.fancybox-1.3.4.pack.js

Script Paths

/wp-content/plugins/easy-fancybox/js/fancybox.js/wp-content/plugins/easy-fancybox/js/jquery.mousewheel-3.0.6.pack.js/wp-content/plugins/easy-fancybox/js/jquery.easing-1.3.pack.js/wp-content/plugins/easy-fancybox/js/jquery.fancybox-1.3.4.pack.js/wp-content/plugins/easy-fancybox/js/easy-fancybox.js

Version Parameters

easy-fancybox/css/fancybox.css?ver=easy-fancybox/js/fancybox.js?ver=easy-fancybox/js/jquery.mousewheel-3.0.6.pack.js?ver=easy-fancybox/js/jquery.easing-1.3.pack.js?ver=easy-fancybox/js/jquery.fancybox-1.3.4.pack.js?ver=easy-fancybox/js/easy-fancybox.js?ver=

HTML / DOM Fingerprints

CSS Classes

fancybox-wrapfancybox-outerfancybox-bgfancybox-innerfancybox-navfancybox-overlayfancybox-closefancybox-next+1 more

HTML Comments

Data Attributes

data-fancyboxdata-captiondata-type

JS Globals

easy_fancybox_settings

FAQ