WordPress Plugin Vulnerabilities

Colorbox Lightbox < 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Colorbox Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
wp-colorbox
Fixed in 1.1.6

References

CVE
CVE-2025-49397
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/01391c72-6829-4c17-af0b-597965ee9fca

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Prissy
Verified
No
WPVDB ID
8c05ecac-c250-4975-a08d-2dd572f649ec

Timeline

Publicly Published
2025-08-20 (about 8 months ago)
Added
2025-08-26 (about 8 months ago)
Last Updated
2025-08-26 (about 8 months ago)

Other

Published
Title
Published
2024-09-25
Title
Form Maker < 1.15.28 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2019-05-04
Title
All-in-One Event Calendar <= 2.5.38 - Cross-Site Scripting (XSS)
Published
2024-07-04
Title
bbPress Notify < 2.18.4 - Reflected Cross-Site Scripting
Published
2023-01-03
Title
Icon Widget < 1.3.0 - Contributor+ Stored XSS via Shortcode
Published
2024-05-02
Title
Elementor Website Builder Pro < 3.21.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting