Multiple Plugins and Themes – Contributor+ DOM-Based Stored XSS via lightGallery Library | CVE 2025-5092 | Plugin Vulnerabilities

Description

Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

gallery-with-thumbnail-slider

No known fix

ibtana-visual-editor

Fixed in 1.2.5.2

image-hover-effects-ultimate

No known fix

No known fix

Fixed in 2.2.2

royal-elementor-addons

Fixed in 1.7.1032

tp-woocommerce-product-gallery

Fixed in 2.0.0

Affects Themes

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/acaa3142-2bbc-43d3-8ecc-05e8edb931ec

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Webbernaut

Verified

No

WPVDB ID

69b3dd18-e7fe-488c-b43e-86590a9cf790

Timeline

Publicly Published

2025-11-19 (about 5 months ago)

Added

2025-11-20 (about 5 months ago)

Last Updated

2025-11-20 (about 5 months ago)

Other

Published

Title

Published

2025-01-06

Title

Candifly <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-10-24

Title

Advanced FAQ Manager < 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-05-15

Title

Royal Elementor Addons and Templates < 1.3.975 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Builder Widget

Published

2026-04-07

Title

Beaver Builder Page Builder – Drag and Drop Website Builder < 2.10.1.2 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]'

Published

2025-03-24

Title

Secret Meta <= 1.2.1 - Reflected Cross-Site Scripting