Does Lightbox & Modal Popup WordPress Plugin – FooBox have any unpatched vulnerabilities?

No. All known vulnerabilities in Lightbox & Modal Popup WordPress Plugin – FooBox have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Lightbox & Modal Popup WordPress Plugin – FooBox compatible with WordPress 6.9.4?

According to WordPress.org data, Lightbox & Modal Popup WordPress Plugin – FooBox 2.7.41 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

What is Lightbox & Modal Popup WordPress Plugin – FooBox's security score?

Lightbox & Modal Popup WordPress Plugin – FooBox has a WP-Safety security score of 94/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Lightbox & Modal Popup WordPress Plugin – FooBox Security & Risk Analysis

wordpress.org/plugins/foobox-image-lightbox

A responsive image lightbox for WordPress galleries, WordPress attachments & FooGallery

100K active installs v2.7.41 PHP + WP 3.5.1+ Updated Jan 21, 2026

galleryimageslightboxmodalpopup

A · Safe

CVEs total5

Unpatched0

Last CVEJul 7, 2025

Plugin page Download

Safety Verdict

Is Lightbox & Modal Popup WordPress Plugin – FooBox Safe to Use in 2026?

Generally Safe

Score 94/100

Lightbox & Modal Popup WordPress Plugin – FooBox has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jul 7, 2025Updated 2mo ago

Risk Assessment

The overall security posture of foobox-image-lightbox v2.7.41 appears to be mixed. The static analysis reveals good practices such as 100% use of prepared statements for SQL queries and a very high rate of output escaping (97%). Furthermore, all identified entry points (AJAX handlers) have nonces and capability checks, indicating a strong emphasis on authorization and input validation at the code level. There are no critical or high-severity taint flows, and no unsanitized paths were found, suggesting a robust defense against common injection vulnerabilities within the analyzed code.

However, a significant concern arises from the plugin's vulnerability history. With a total of 5 known CVEs, including 1 high and 4 medium severity vulnerabilities, the plugin has a history of security flaws. The types of common vulnerabilities, such as Cross-Site Scripting and Missing Authorization, are concerning, especially when the static analysis shows no explicit evidence of these issues *in this specific version*. This history suggests that past versions have had exploitable weaknesses, and while this version might have addressed them, it points to potential recurring issues or a need for ongoing vigilance. The recent last vulnerability date also implies that active security issues have been discovered in relatively recent times.

In conclusion, while foobox-image-lightbox v2.7.41 demonstrates strengths in its current code's security practices with excellent output escaping and authorization checks on its entry points, its past vulnerability record necessitates a cautious approach. The presence of historical high and medium severity vulnerabilities, particularly those related to XSS and authorization, suggests a potential for future discoveries or that past issues might not be entirely resolved across all versions. The bundled Freemius library being v1.0 could also be a point of concern if it's outdated and has known vulnerabilities.

Key Concerns

High historical medium and high severity CVEs
Bundled outdated library (Freemius v1.0)

Vulnerabilities

Lightbox & Modal Popup WordPress Plugin – FooBox Security Vulnerabilities

CVEs by Year

1 CVE in 2019

2019

2 CVEs in 2024

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

5 total CVEs

CVE-2025-5537medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Lightbox & Modal Popup WordPress Plugin – FooBox <= 2.7.34 - Authenticated (Author+) Stored Cross-Site Scripting

Jul 7, 2025 Patched in 2.7.35 (1d)

CVE-2025-32139medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FooBox Image Lightbox <= 2.7.33 - Authenticated (Author+) Stored Cross-Site Scripting

Apr 4, 2025 Patched in 2.7.34 (8d)

CVE-2024-5668medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Lightbox & Modal Popup WordPress Plugin – FooBox <= 2.7.28 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes

Aug 7, 2024 Patched in 2.7.32 (1d)

CVE-2024-3276medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Lightbox & Modal Popup WordPress Plugin – FooBox (Free and Premium) <= 2.7.27 - Authenticated (Admin+) Stored Cross-Site Scripting

May 28, 2024 Patched in 2.7.28 (3d)

WF-3fda31fa-efc9-44b9-99ba-9e3e23aa2ee0-foobox-image-lightboxhigh · 8.8Missing Authorization

Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update

Feb 25, 2019 Patched in 2.6.4 (1793d)

Code Analysis

Analyzed Mar 16, 2026

Lightbox & Modal Popup WordPress Plugin – FooBox Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

194 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Freemius1.0

Output Escaping

97% escaped201 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

ajax_set_default_image_link_type (foobox-free.php:298)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Lightbox & Modal Popup WordPress Plugin – FooBox Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

authwp_ajax_foobox_set_default_image_link_typefoobox-free.php:87

authwp_ajax_foobox_dismiss_default_link_noticefoobox-free.php:89

WordPress Hooks 41

actionplugins_loadedcompatibility\class-elementor.php:8

filterfoobox_caption_title_attributes_overridecompatibility\class-elementor.php:13

filterfoobox_caption_desc_attributes_overridecompatibility\class-elementor.php:14

actionplugins_loadedcompatibility\class-envira.php:8

filterfoobox_caption_title_attributes_overridecompatibility\class-envira.php:13

actionplugins_loadedcompatibility\class-wprocket.php:8

filterrocket_excluded_inline_js_contentcompatibility\class-wprocket.php:13

filterrocket_delay_js_scriptscompatibility\class-wprocket.php:14

filterrocket_defer_inline_exclusionscompatibility\class-wprocket.php:15

actionadmin_initfoobox-free.php:75

filtersupport_forum_submenufoobox-free.php:77

filtersupport_forum_urlfoobox-free.php:78

filterconnect_urlfoobox-free.php:79

actionadmin_menufoobox-free.php:80

actionafter_premium_version_activationfoobox-free.php:81

filterpricing/show_annual_in_monthlyfoobox-free.php:82

actionadmin_page_access_deniedfoobox-free.php:83

actionadmin_noticesfoobox-free.php:85

actionadmin_enqueue_scriptsfree\foobox-free.php:45

actionfoobox-free-settings_custom_type_renderfree\foobox-free.php:47

filterfoobox-free-has_settings_pagefree\foobox-free.php:53

actionenqueue_block_editor_assetsfree\foobox-free.php:55

filterfs_show_trial_foobox-image-lightboxfree\foobox-free.php:57

actionadmin_initfree\foobox-free.php:58

actionwp_enqueue_scriptsfree\foobox-free.php:63

actionwp_enqueue_scriptsfree\foobox-free.php:66

actionwp_footerfree\foobox-free.php:69

actioninitfree\includes\class-exclude.php:12

actionadd_meta_boxesfree\includes\class-exclude.php:17

actionsave_postfree\includes\class-exclude.php:18

filterfoobox_enqueue_scriptsfree\includes\class-exclude.php:20

filterfoobox_enqueue_stylesfree\includes\class-exclude.php:21

filterfoobox-free-admin_settingsfree\includes\class-settings.php:8

actioninitfree\includes\foopluginbase\classes\class-foo-plugin-base.php:114

actionwp_headfree\includes\foopluginbase\classes\class-foo-plugin-base.php:117

actionwp_footerfree\includes\foopluginbase\classes\class-foo-plugin-base.php:120

actionadmin_initfree\includes\foopluginbase\classes\class-foo-plugin-base.php:124

actionadmin_menufree\includes\foopluginbase\classes\class-foo-plugin-base.php:127

actionadmin_print_stylesfree\includes\foopluginbase\classes\class-foo-plugin-base.php:133

actionadmin_print_scriptsfree\includes\foopluginbase\classes\class-foo-plugin-base.php:136

actionadmin_menuincludes\admin\menu.php:11

Maintenance & Trust

Lightbox & Modal Popup WordPress Plugin – FooBox Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 21, 2026

PHP min version

Downloads2.8M

Community Trust

Rating78/100

Number of ratings94

Active installs100K

Alternatives

Lightbox & Modal Popup WordPress Plugin – FooBox Alternatives

ModuloBox – NextGen Lightbox

modulobox-lite

A modular, versatile & highly customizable lightbox plugin to display your media in a fully responsive popup.

200 No CVEs

VenoBox – Lightweight & Responsive Lightbox Plugin

venobox

100

A fast, responsive, and flexible lightbox for images, videos, and galleries. Zero jQuery dependency.

100 No CVEs

Modal Post Images

modal-post-images

100

Add beautiful responsive pop-up modals to all your WordPress post images automatically — no setup required!

50 No CVEs

PWP Lytebox

pwp-lytebox

The fast and simple way to make all links pointing to images open in popup modal window.

40 No CVEs

WP LightPics

wp-lightpics

Display every image form with the classic wordpress media pattern with lightbox.

10 No CVEs

Developer Profile

Lightbox & Modal Popup WordPress Plugin – FooBox Developer Profile

FooPlugins

4 plugins · 204K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

328 days

View full developer profile

Detection Fingerprints

How We Detect Lightbox & Modal Popup WordPress Plugin – FooBox

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/foobox-image-lightbox/free/css/foobox.css/wp-content/plugins/foobox-image-lightbox/free/js/foobox.min.js/wp-content/plugins/foobox-image-lightbox/free/js/themes/default.min.js

Script Paths

https://{$cdn_domain}/{$path}/{$js_file}.js{$cdn_domain}/{$path}/{$js_file}.js{$path}/{$js_file}.js

Version Parameters

foobox-image-lightbox/free/css/foobox.css?ver=foobox-image-lightbox/free/js/foobox.min.js?ver=foobox-image-lightbox/free/js/themes/default.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

foobox-wrapperfoobox-closefoobox-navfoobox-nextfoobox-prevfoobox-titlefoobox-htmlfoobox-image+6 more

HTML Comments

Data Attributes

data-fooboxdata-foobox-groupdata-foobox-widthdata-foobox-heightdata-foobox-titledata-foobox-caption+2 more

JS Globals

fooboxFooBoxfbjQuery.fn.foobox

FAQ