Home

Description

The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated directly into a jQuery HTML string without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PUBLISHED Reserved 2026-03-25 | Published 2026-04-28 | Updated 2026-04-28 | Assigner Wordfence




MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

Any version
affected

Timeline

2026-03-31:Vendor Notified
2026-04-27:Disclosed

Credits

Osvaldo Noe Gonzalez Del Rio finder

References

www.wordfence.com/...-e701-4708-b5d4-69b72ff38499?source=cve

themes.trac.wordpress.org/...oostify/2.4.6/assets/js/lity.js

themes.trac.wordpress.org/...oostify/2.4.6/assets/js/lity.js

themes.trac.wordpress.org/...oostify/2.4.6/assets/js/lity.js

themes.trac.wordpress.org/...oostify/2.4.6/assets/js/lity.js

github.com/...ommit/a4669598aa8c5de344dda6c3d42389a3c2e61adc

themes.trac.wordpress.org/....5.0&new_path=%2Fwoostify/2.5.1

cve.org (CVE-2026-4805)

nvd.nist.gov (CVE-2026-4805)

Download JSON