WP-Safety

Lightbox & Modal Popup WordPress Plugin – FooBox Security & Risk Analysis

wordpress.org/plugins/foobox-image-lightbox

A responsive image lightbox for WordPress galleries, WordPress attachments & FooGallery

100K active installs v2.7.41 PHP + WP 3.5.1+ Updated Jan 21, 2026
galleryimageslightboxmodalpopup
94
A · Safe
CVEs total5
Unpatched0
Last CVEJul 7, 2025
Plugin page Download
Safety Verdict

Is Lightbox & Modal Popup WordPress Plugin – FooBox Safe to Use in 2026?

Generally Safe

Score 94/100

Lightbox & Modal Popup WordPress Plugin – FooBox has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

5 known CVEsLast CVE: Jul 7, 2025Updated 3mo ago
Risk Assessment

The overall security posture of foobox-image-lightbox v2.7.41 appears to be mixed. The static analysis reveals good practices such as 100% use of prepared statements for SQL queries and a very high rate of output escaping (97%). Furthermore, all identified entry points (AJAX handlers) have nonces and capability checks, indicating a strong emphasis on authorization and input validation at the code level. There are no critical or high-severity taint flows, and no unsanitized paths were found, suggesting a robust defense against common injection vulnerabilities within the analyzed code.

However, a significant concern arises from the plugin's vulnerability history. With a total of 5 known CVEs, including 1 high and 4 medium severity vulnerabilities, the plugin has a history of security flaws. The types of common vulnerabilities, such as Cross-Site Scripting and Missing Authorization, are concerning, especially when the static analysis shows no explicit evidence of these issues *in this specific version*. This history suggests that past versions have had exploitable weaknesses, and while this version might have addressed them, it points to potential recurring issues or a need for ongoing vigilance. The recent last vulnerability date also implies that active security issues have been discovered in relatively recent times.

In conclusion, while foobox-image-lightbox v2.7.41 demonstrates strengths in its current code's security practices with excellent output escaping and authorization checks on its entry points, its past vulnerability record necessitates a cautious approach. The presence of historical high and medium severity vulnerabilities, particularly those related to XSS and authorization, suggests a potential for future discoveries or that past issues might not be entirely resolved across all versions. The bundled Freemius library being v1.0 could also be a point of concern if it's outdated and has known vulnerabilities.

Key Concerns

  • High historical medium and high severity CVEs
  • Bundled outdated library (Freemius v1.0)
Vulnerabilities
5 published

Lightbox & Modal Popup WordPress Plugin – FooBox Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
2 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
4

5 total CVEs

CVE-2025-5537medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Lightbox & Modal Popup WordPress Plugin – FooBox <= 2.7.34 - Authenticated (Author+) Stored Cross-Site Scripting

Jul 7, 2025 Patched in 2.7.35 (1d)
CVE-2025-32139medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FooBox Image Lightbox <= 2.7.33 - Authenticated (Author+) Stored Cross-Site Scripting

Apr 4, 2025 Patched in 2.7.34 (8d)
CVE-2024-5668medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Lightbox & Modal Popup WordPress Plugin – FooBox <= 2.7.28 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes

Aug 7, 2024 Patched in 2.7.32 (1d)
CVE-2024-3276medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Lightbox & Modal Popup WordPress Plugin – FooBox (Free and Premium) <= 2.7.27 - Authenticated (Admin+) Stored Cross-Site Scripting

May 28, 2024 Patched in 2.7.28 (3d)
WF-3fda31fa-efc9-44b9-99ba-9e3e23aa2ee0-foobox-image-lightboxhigh · 8.8Missing Authorization

Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update

Feb 25, 2019 Patched in 2.6.4 (1793d)
Version History

Lightbox & Modal Popup WordPress Plugin – FooBox Release Timeline

v2.7.41Current69 files changed
v2.7.3557 files changed
v2.7.341 CVE15 files changed
CVE-2025-5537
v2.7.332 CVEs51 files changed
CVE-2025-32139 CVE-2025-5537
v2.7.322 CVEs9 files changed
CVE-2025-32139 CVE-2025-5537
v2.7.283 CVEs63 files changed
CVE-2025-32139 CVE-2024-5668 CVE-2025-5537
v2.7.274 CVEs50 files changed
CVE-2025-32139 CVE-2024-5668 CVE-2024-3276 +1 more
v2.7.254 CVEs112 files changed
CVE-2025-32139 CVE-2024-5668 CVE-2024-3276 +1 more
v2.7.174 CVEs110 files changed
CVE-2025-32139 CVE-2024-5668 CVE-2024-3276 +1 more
v2.7.114 CVEs124 files changed
CVE-2025-32139 CVE-2024-5668 CVE-2024-3276 +1 more
v2.6.44 CVEs
CVE-2025-32139 CVE-2024-5668 CVE-2024-3276 +1 more
Code Analysis
Analyzed Mar 16, 2026

Lightbox & Modal Popup WordPress Plugin – FooBox Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
7
194 escaped
Nonce Checks
3
Capability Checks
4
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

Output Escaping

97% escaped201 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
ajax_set_default_image_link_type (foobox-free.php:298)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Lightbox & Modal Popup WordPress Plugin – FooBox Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 2

authwp_ajax_foobox_set_default_image_link_typefoobox-free.php:87
authwp_ajax_foobox_dismiss_default_link_noticefoobox-free.php:89
WordPress Hooks 41
actionplugins_loadedcompatibility\class-elementor.php:8
filterfoobox_caption_title_attributes_overridecompatibility\class-elementor.php:13
filterfoobox_caption_desc_attributes_overridecompatibility\class-elementor.php:14
actionplugins_loadedcompatibility\class-envira.php:8
filterfoobox_caption_title_attributes_overridecompatibility\class-envira.php:13
actionplugins_loadedcompatibility\class-wprocket.php:8
filterrocket_excluded_inline_js_contentcompatibility\class-wprocket.php:13
filterrocket_delay_js_scriptscompatibility\class-wprocket.php:14
filterrocket_defer_inline_exclusionscompatibility\class-wprocket.php:15
actionadmin_initfoobox-free.php:75
filtersupport_forum_submenufoobox-free.php:77
filtersupport_forum_urlfoobox-free.php:78
filterconnect_urlfoobox-free.php:79
actionadmin_menufoobox-free.php:80
actionafter_premium_version_activationfoobox-free.php:81
filterpricing/show_annual_in_monthlyfoobox-free.php:82
actionadmin_page_access_deniedfoobox-free.php:83
actionadmin_noticesfoobox-free.php:85
actionadmin_enqueue_scriptsfree\foobox-free.php:45
actionfoobox-free-settings_custom_type_renderfree\foobox-free.php:47
filterfoobox-free-has_settings_pagefree\foobox-free.php:53
actionenqueue_block_editor_assetsfree\foobox-free.php:55
filterfs_show_trial_foobox-image-lightboxfree\foobox-free.php:57
actionadmin_initfree\foobox-free.php:58
actionwp_enqueue_scriptsfree\foobox-free.php:63
actionwp_enqueue_scriptsfree\foobox-free.php:66
actionwp_footerfree\foobox-free.php:69
actioninitfree\includes\class-exclude.php:12
actionadd_meta_boxesfree\includes\class-exclude.php:17
actionsave_postfree\includes\class-exclude.php:18
filterfoobox_enqueue_scriptsfree\includes\class-exclude.php:20
filterfoobox_enqueue_stylesfree\includes\class-exclude.php:21
filterfoobox-free-admin_settingsfree\includes\class-settings.php:8
actioninitfree\includes\foopluginbase\classes\class-foo-plugin-base.php:114
actionwp_headfree\includes\foopluginbase\classes\class-foo-plugin-base.php:117
actionwp_footerfree\includes\foopluginbase\classes\class-foo-plugin-base.php:120
actionadmin_initfree\includes\foopluginbase\classes\class-foo-plugin-base.php:124
actionadmin_menufree\includes\foopluginbase\classes\class-foo-plugin-base.php:127
actionadmin_print_stylesfree\includes\foopluginbase\classes\class-foo-plugin-base.php:133
actionadmin_print_scriptsfree\includes\foopluginbase\classes\class-foo-plugin-base.php:136
actionadmin_menuincludes\admin\menu.php:11
Maintenance & Trust

Lightbox & Modal Popup WordPress Plugin – FooBox Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 21, 2026
PHP min version
Downloads2.8M

Community Trust

Rating78/100
Number of ratings94
Active installs100K
Alternatives

Lightbox & Modal Popup WordPress Plugin – FooBox Alternatives

ModuloBox – NextGen Lightbox

ModuloBox – NextGen Lightbox

modulobox-lite

A
92

A modular, versatile & highly customizable lightbox plugin to display your media in a fully responsive popup.

200 No CVEs
VenoBox – Lightweight & Responsive Lightbox Plugin

VenoBox – Lightweight & Responsive Lightbox Plugin

venobox

A
100

A fast, responsive, and flexible lightbox for images, videos, and galleries. Zero jQuery dependency.

100 No CVEs
Modal Post Images

Modal Post Images

modal-post-images

A
100

Add beautiful responsive pop-up modals to all your WordPress post images automatically — no setup required!

50 No CVEs
PWP Lytebox

PWP Lytebox

pwp-lytebox

A
85

The fast and simple way to make all links pointing to images open in popup modal window.

40 No CVEs
Fast Gallery Lite

Fast Gallery Lite

fast-gallery-lite

A
85

create your gallery in one minute. Easy and Fast.

10 No CVEs
Developer Profile

Lightbox & Modal Popup WordPress Plugin – FooBox Developer Profile

FooPlugins

5 plugins · 204K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
328 days
View full developer profile
Detection Fingerprints

How We Detect Lightbox & Modal Popup WordPress Plugin – FooBox

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/foobox-image-lightbox/free/css/foobox.css/wp-content/plugins/foobox-image-lightbox/free/js/foobox.min.js/wp-content/plugins/foobox-image-lightbox/free/js/themes/default.min.js
Script Paths
https://{$cdn_domain}/{$path}/{$js_file}.js{$cdn_domain}/{$path}/{$js_file}.js{$path}/{$js_file}.js
Version Parameters
foobox-image-lightbox/free/css/foobox.css?ver=foobox-image-lightbox/free/js/foobox.min.js?ver=foobox-image-lightbox/free/js/themes/default.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
foobox-wrapperfoobox-closefoobox-navfoobox-nextfoobox-prevfoobox-titlefoobox-htmlfoobox-image+6 more
HTML Comments
<!-- FooBox Lite Version --><!-- FooBox Pro Version -->
Data Attributes
data-fooboxdata-foobox-groupdata-foobox-widthdata-foobox-heightdata-foobox-titledata-foobox-caption+2 more
JS Globals
fooboxFooBoxfbjQuery.fn.foobox
FAQ

Frequently Asked Questions about Lightbox & Modal Popup WordPress Plugin – FooBox