Does WP Video Lightbox have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Video Lightbox have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Video Lightbox compatible with WordPress 6.8.5?

According to WordPress.org data, WP Video Lightbox 1.9.12 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is WP Video Lightbox updated?

WP Video Lightbox was last updated on Apr 17, 2025. Frequent updates are generally a positive security signal.

What is WP Video Lightbox's security score?

WP Video Lightbox has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Video Lightbox Security & Risk Analysis

wordpress.org/plugins/wp-video-lightbox

Very easy to use WordPress lightbox plugin to display YouTube and Vimeo videos in an elegant lightbox overlay.

30K active installs v1.9.12 PHP + WP 3.0+ Updated Apr 17, 2025

video-lightboxwordpress-lightboxwordpress-video-embedwordpress-video-lightboxwp-video-lightbox

A · Safe

CVEs total5

Unpatched0

Last CVEMay 1, 2024

Plugin page Download

Safety Verdict

Is WP Video Lightbox Safe to Use in 2026?

Generally Safe

Score 97/100

WP Video Lightbox has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: May 1, 2024Updated 11mo ago

Risk Assessment

The wp-video-lightbox plugin version 1.9.12 presents a mixed security posture. While the static analysis shows a commendable absence of dangerous functions, raw SQL queries, and file operations, and a high percentage of properly escaped output, there are notable areas of concern. The plugin lacks any capability checks, which is a significant weakness given its potential to interact with user data or site functionality. The vulnerability history is particularly alarming, with a total of 5 known CVEs, all classified as medium severity and primarily related to Cross-Site Scripting (XSS). Although no CVEs are currently unpatched, the recurring nature of XSS vulnerabilities suggests a persistent weakness in input sanitization or output encoding within the plugin's development lifecycle. The absence of any taint analysis flows being flagged could be due to the limited scope of the analysis or the specific nature of the vulnerabilities that haven't been triggered in the analyzed code paths. In conclusion, while the plugin demonstrates some good security practices in its code, the history of XSS vulnerabilities and the complete lack of capability checks warrant careful consideration and potentially pose a risk to sites using this plugin.

Key Concerns

Total known CVEs: 5 (medium severity)
No capability checks
Output escaping: 81% properly escaped (19% unescaped)

Vulnerabilities

WP Video Lightbox Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

3 CVEs in 2022

2022

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

5 total CVEs

CVE-2024-4324medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Video Lightbox <= 1.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

May 1, 2024 Patched in 1.9.11 (2d)

CVE-2022-4465medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Video Lightbox <= 1.9.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 21, 2022 Patched in 1.9.7 (398d)

WF-cf44a96e-0efb-4363-9f49-ba4a82924569-wp-video-lightboxmedium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Video Lightbox <= 1.9.5 - Authenticated Stored Cross-Site Scripting

Jul 4, 2022 Patched in 1.9.6 (568d)

CVE-2022-2189medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Video Lightbox <= 1.9.4 - Reflected Cross-Site Scripting

Jun 30, 2022 Patched in 1.9.5 (572d)

CVE-2021-24665medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Video Lightbox <= 1.9.2 - Contributor+ Stored Cross-Site Scripting

Aug 23, 2021 Patched in 1.9.3 (883d)

Code Analysis

Analyzed Mar 16, 2026

WP Video Lightbox Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

46 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

81% escaped57 total outputs

Attack Surface

WP Video Lightbox Attack Surface

Entry Points2

Unprotected0

Shortcodes 2

[video_lightbox_vimeo5] misc_functions.php:2

[video_lightbox_youtube] misc_functions.php:3

WordPress Hooks 9

actioninitwp-video-lightbox.php:31

actionwp_enqueue_scriptswp-video-lightbox.php:32

actionwp_headwp-video-lightbox.php:33

actionwp_footerwp-video-lightbox.php:34

actionplugins_loadedwp-video-lightbox.php:55

filterwidget_textwp-video-lightbox.php:58

filterthe_excerptwp-video-lightbox.php:59

filterthe_contentwp-video-lightbox.php:60

actionadmin_menuwpvl-settings.php:7

Maintenance & Trust

WP Video Lightbox Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedApr 17, 2025

PHP min version

Downloads1.3M

Community Trust

Rating86/100

Number of ratings67

Active installs30K

Alternatives

WP Video Lightbox Alternatives

click-to-vote.me

click-to-vote-me

Very easy to use WordPress plugin to display click-to-vote.me polls.

10 No CVEs

MetaSlider Lightbox – Modals & Lightboxes – Image, Gallery, Video, Slideshow Lightbox

ml-slider-lightbox

100

MetaSlider Lightbox is the lightbox and modal plugin for WordPress. Build a lightbox for images, galleries, video, slideshows and more.

10K No CVEs

Video PopUp

video-popup

100

The ultimate Video Popup plugin for WordPress. Create unlimited and responsive popups for YouTube, Vimeo, MP4 & WebM videos on click or On-Page Load.

20K 1 CVE

ARI Fancy Lightbox – Popup for WordPress

ari-fancy-lightbox

Lightbox for WordPress with social and viral features. Show photos, gallery, PDF, videos, WooCommerce images, inline content, Google Maps links.

10K 3 CVEs

WP Video Popup – WordPress Video Lightbox for YouTube, Rumble & Vimeo

responsive-youtube-vimeo-popup

100

WP Video Popup lets you add a responsive YouTube, Rumble or Vimeo video lightbox to any page, post or custom post type of your website.

9K No CVEs

Developer Profile

WP Video Lightbox Developer Profile

wptipsntricks

2 plugins · 30K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

485 days

View full developer profile

Detection Fingerprints

How We Detect WP Video Lightbox

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-video-lightbox/asset/js/jquery.prettyPhoto.js/wp-content/plugins/wp-video-lightbox/asset/js/jquery.prettyPhoto.init.js/wp-content/plugins/wp-video-lightbox/asset/css/prettyPhoto.css/wp-content/plugins/wp-video-lightbox/asset/css/wp-video-lightbox.css/wp-content/plugins/wp-video-lightbox/asset/js/fancybox.umd.js/wp-content/plugins/wp-video-lightbox/asset/js/wp-video-lightbox.js

Script Paths

Version Parameters

wp-video-lightbox/asset/css/prettyPhoto.css?ver=wp-video-lightbox/asset/css/wp-video-lightbox.css?ver=wp-video-lightbox/asset/js/jquery.prettyPhoto.js?ver=wp-video-lightbox/asset/js/jquery.prettyPhoto.init.js?ver=wp-video-lightbox/asset/js/fancybox.umd.js?ver=wp-video-lightbox/asset/js/wp-video-lightbox.js?ver=

HTML / DOM Fingerprints

CSS Classes

wp-video-lightbox

Data Attributes

data-wpvl-typedata-wpvl-url

JS Globals

WP_VIDEO_LIGHTBOX_VERSIONWP_VID_LIGHTBOX_URLwpvl_paramReplace

Shortcode Output

Error! You must specify a value for the Video ID, Width, Height and Anchor parameters to use this shortcode!Error! You must specify a valid width to use this shortcode!Error! You must specify a valid height to use this shortcode!Error! You must specify an anchor parameter if you are not using the auto_thumb option.

FAQ