[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuIH44nvuDRvWKhAdqyjJSIEXVYWv3ULN6uSkohvb7ho":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-4379","lightpress-lightbox-authenticated-contributor-stored-cross-site-scripting-via-group-shortcode-attribute","LightPress Lightbox \u003C= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute","The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `group` attribute in the `[gallery]` shortcode in all versions up to, and including, 2.3.4. This is due to the plugin modifying gallery shortcode output to include the `group` attribute value without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-jquery-lightbox",null,"\u003C=2.3.4","2.3.5","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-07 13:33:34","2026-04-08 02:25:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2bed4818-70c5-40b7-8d8d-f43f3baa0f3d?source=api-prod",1,[22,23,24,25],"lightboxes\u002Fwp-jquery-lightbox\u002Fclass-wp-jquery-lightbox.php","lightboxes\u002Fwp-jquery-lightbox\u002Fwp-jquery-lightbox-legacy.php","readme.txt","wp-jquery-lightbox.php","researched",false,3,"This research plan outlines the process for exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the LightPress Lightbox plugin (versions \u003C= 2.3.4).\n\n## 1. Vulnerability Summary\nThe **LightPress Lightbox** plugin is vulnerable to Stored XSS via the `group` attribute of the WordPress `[gallery]` shortcode. The plugin hooks into the `post_gallery` filter to capture the `group` attribute and subsequently modifies the HTML output (likely via `the_content` or by overriding the gallery output) to inject this value into the `rel` attribute of image links. Because the `group` value is concatenated into the HTML string without using `esc_attr()` or similar sanitization, an authenticated attacker with **Contributor-level permissions** can break out of the HTML attribute and inject arbitrary JavaScript.\n\n## 2. Attack Vector Analysis\n*   **Target Endpoint:** Post\u002FPage creation\u002Feditor (`\u002Fwp-admin\u002Fpost-new.php` or REST API `\u002Fwp\u002Fv2\u002Fposts`).\n*   **Vulnerable Component:** The `[gallery]` shortcode processing logic.\n*   **Vulnerable Parameter:** The `group` attribute within the shortcode.\n*   **Authentication Level:** Contributor or higher (any role capable of using shortcodes in posts).\n*   **Preconditions:** The plugin must be active. A post containing the malicious shortcode must be published or previewed.\n\n## 3. Code Flow\n1.  **Entry Point:** An authenticated user saves or previews a post containing: `[gallery group='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`.\n2.  **Shortcode Handling:** When the post is rendered, WordPress triggers the `post_gallery` filter. \n3.  **Plugin Hook:** In `lightboxes\u002Fwp-jquery-lightbox\u002Fclass-wp-jquery-lightbox.php`, the constructor registers the filter:\n    `add_filter( 'post_gallery', array( $this, 'filter_groups' ), 10, 2 );`\n4.  **State Storage:** The `filter_groups` function (or `jqlb_filter_groups` in legacy mode) extracts the `group` attribute:\n    ```php\n    \u002F\u002F In wp-jquery-lightbox-legacy.php\n    function jqlb_filter_groups($output, $attr) {\n        global $jqlb_group;\n        if(isset($attr['group'])){\n            $jqlb_group = $attr['group']; \u002F\u002F Raw input assigned to global\n        }\n        return $output;\n    }\n    ```\n5.  **Sink:** The plugin later processes the content, likely in `filter_content` (registered at line 91 of `class-wp-jquery-lightbox.php` on the `the_content` hook). It searches for image links within the gallery and appends `rel=\"lightbox[GROUP_VALUE]\"`. \n6.  **XSS Trigger:** Because `GROUP_VALUE` (the `group` attribute) is not escaped with `esc_attr()`, the payload `\">\u003Cscript>alert(1)\u003C\u002Fscript>` closes the `rel` attribute and the `\u003Ca>` tag, allowing the script to execute.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability does not require a plugin-specific nonce for the **execution phase**, as the XSS is stored and executes when the page is viewed. However, the **injection phase** (saving the post) requires standard WordPress authentication and nonces.\n\n**Strategy for Automated Agent:**\n1.  Use the `wp_cli` tool to create a post directly. This bypasses the need to manually extract CSRF nonces from the WordPress editor UI.\n2.  Alternatively, if using the UI via `browser_navigate`:\n    *   The `_wpnonce` and `_wp_http_referer` are standard in the `post.php` form.\n    *   No specialized `wp_localize_script` nonce is needed because we are not targeting an AJAX endpoint, but rather the shortcode rendering engine.\n\n## 5. Exploitation Strategy\nThe exploitation will involve creating a post as a Contributor and then verifying the XSS as an unauthenticated visitor.\n\n1.  **Login as Contributor:** Authenticate as a user with the `contributor` role.\n2.  **Upload Media (Optional but Recommended):** Ensure at least one image exists in the media library so the `[gallery]` shortcode renders actual `\u003Ca>` tags.\n3.  **Create Malicious Post:** Use `wp_cli` to create a post containing the payload.\n    *   **Payload:** `[gallery ids=\"1\" group='\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>']`\n4.  **View Post:** Use the `http_request` tool to navigate to the frontend URL of the newly created post.\n5.  **Verify Payload Execution:** Inspect the response body to confirm the presence of the unescaped script tag within the gallery HTML.\n\n## 6. Test Data Setup\n*   **User:** A user with the username `contributor_user` and role `contributor`.\n*   **Media:** At least one attachment. We can use `wp media import` to add a placeholder image.\n*   **Shortcode:** `[gallery ids=\"ID_HERE\" group='\">\u003Cimg src=x onerror=alert(document.domain)>']`\n\n## 7. Expected Results\n*   The HTTP response for the post's frontend page should contain the string:\n    `rel=\"lightbox[\">\u003Cimg src=x onerror=alert(document.domain)>]\"`\n*   The browser (if rendered) would trigger the `alert`.\n*   The raw HTML will show the `rel` attribute being prematurely closed by the `\">` characters in our payload.\n\n## 8. Verification Steps\n1.  **Check Post Content:** \n    `wp post get \u003CPOST_ID> --field=post_content`\n2.  **Verify HTML Output:**\n    Use `http_request` to fetch the post and grep for the payload:\n    `grep -P 'rel=\"lightbox\\[\">\u003Cscript'`\n3.  **Confirm Lack of Escaping:**\n    Verify that the `\"` and `>` characters are NOT converted to `"` and `>`.\n\n## 9. Alternative Approaches\n*   **Legacy Mode:** If the plugin is configured to use the legacy file (`JQLB_LEGACY` constant set to `true`), target the `jqlb_filter_groups` function in `lightboxes\u002Fwp-jquery-lightbox\u002Fwp-jquery-lightbox-legacy.php`.\n*   **Attribute Variations:** If `group` is not reflected in `rel`, check for it in `data-lightbox-group` or other custom data attributes the plugin might use to categorize images.\n*   **Comments XSS:** The plugin also has a `lightbox_comment` filter (line 94 of `class-wp-jquery-lightbox.php`). If this filter uses the same `lightbox_group` logic, XSS might be possible via comment text if the plugin attempts to \"lightbox\" links within comments.","The LightPress Lightbox plugin is vulnerable to Stored Cross-Site Scripting via the 'group' attribute in the WordPress [gallery] shortcode. This occurs because the plugin fails to escape the group value before injecting it into the 'rel' attribute of image links, allowing attackers with Contributor-level permissions or higher to execute arbitrary JavaScript in the context of a user's browser.","\u002F\u002F File: lightboxes\u002Fwp-jquery-lightbox\u002Fclass-wp-jquery-lightbox.php (around line 395)\n\t\t\u002F\u002F Grouping.\n\t\treturn str_replace( '\u003Ca', '\u003Ca rel=\"lightbox[' . $this->lightbox_group . ']\"', $html );\n\n---\n\n\u002F\u002F File: lightboxes\u002Fwp-jquery-lightbox\u002Fwp-jquery-lightbox-legacy.php (around line 329)\nfunction jqlb_lightbox_gallery_links($html){ \u002F\u002Fhonors our custom group-attribute of the gallery shortcode.\n\tglobal $jqlb_group;\n\tif(!isset($jqlb_group) || $jqlb_group == -1){return $html;}\n    return str_replace('\u003Ca','\u003Ca rel=\"lightbox['.$jqlb_group.']\"', $html);\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-jquery-lightbox\u002F2.3.4\u002Flightboxes\u002Fwp-jquery-lightbox\u002Fclass-wp-jquery-lightbox.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-jquery-lightbox\u002F2.3.5\u002Flightboxes\u002Fwp-jquery-lightbox\u002Fclass-wp-jquery-lightbox.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-jquery-lightbox\u002F2.3.4\u002Flightboxes\u002Fwp-jquery-lightbox\u002Fclass-wp-jquery-lightbox.php\t2024-10-20 23:54:22.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-jquery-lightbox\u002F2.3.5\u002Flightboxes\u002Fwp-jquery-lightbox\u002Fclass-wp-jquery-lightbox.php\t2026-03-25 23:14:32.000000000 +0000\n@@ -392,7 +392,7 @@\n \t\t}\n \n \t\t\u002F\u002F Grouping.\n-\t\treturn str_replace( '\u003Ca', '\u003Ca rel=\"lightbox[' . $this->lightbox_group . ']\"', $html );\n+\t\treturn str_replace( '\u003Ca', '\u003Ca rel=\"lightbox[' . esc_attr( $this->lightbox_group ) . ']\"', $html );\n \t}\n \n \t\u002F**\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-jquery-lightbox\u002F2.3.4\u002Flightboxes\u002Fwp-jquery-lightbox\u002Fwp-jquery-lightbox-legacy.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-jquery-lightbox\u002F2.3.5\u002Flightboxes\u002Fwp-jquery-lightbox\u002Fwp-jquery-lightbox-legacy.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-jquery-lightbox\u002F2.3.4\u002Flightboxes\u002Fwp-jquery-lightbox\u002Fwp-jquery-lightbox-legacy.php\t2024-06-19 16:37:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-jquery-lightbox\u002F2.3.5\u002Flightboxes\u002Fwp-jquery-lightbox\u002Fwp-jquery-lightbox-legacy.php\t2026-03-25 23:14:32.000000000 +0000\n@@ -326,7 +326,7 @@\n function jqlb_lightbox_gallery_links($html){ \u002F\u002Fhonors our custom group-attribute of the gallery shortcode.\n \tglobal $jqlb_group;\n \tif(!isset($jqlb_group) || $jqlb_group == -1){return $html;}\n-    return str_replace('\u003Ca','\u003Ca rel=\"lightbox['.$jqlb_group.']\"', $html);\n+    return str_replace('\u003Ca','\u003Ca rel=\"lightbox['.esc_attr($jqlb_group).']\"', $html);\n }","1. Authenticate as a user with at least Contributor-level access (capable of creating and editing posts).\n2. Create a new post or edit an existing one.\n3. Insert a [gallery] shortcode using the 'group' attribute. The payload should use a closing quote and bracket to break out of the HTML attribute.\n4. Payload example: `[gallery group='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`.\n5. Publish or preview the post.\n6. When the gallery is rendered on the frontend, the plugin's `post_gallery` filter captures the group value and its content filter injects it directly into the `\u003Ca>` tag's `rel` attribute. The payload executes because the value is not passed through `esc_attr()`.","gemini-3-flash-preview","2026-04-17 20:48:50","2026-04-17 20:49:20",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.3.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-jquery-lightbox\u002Ftags\u002F2.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-jquery-lightbox.2.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-jquery-lightbox\u002Ftags\u002F2.3.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-jquery-lightbox.2.3.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-jquery-lightbox\u002Ftags"]