WordPress Plugin Vulnerabilities

Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Featherlight.js JavaScript Library

Description

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Featherlight.js JavaScript library (versions 1.7.13 to 1.7.14) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
responsive-lightbox
Fixed in 2.4.8
Plugin icon
wp-featherlight
No known fix

References

CVE
CVE-2024-5667
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/44b173da-a6b9-424c-95a1-a87a9b8ee4af

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
c12d2e0d-dc71-4eb4-8c91-a96dcdaf111f

Timeline

Publicly Published
2025-03-04 (about 1 year ago)
Added
2025-03-04 (about 1 year ago)
Last Updated
2025-03-05 (about 1 year ago)

Other

Published
Title
Published
2024-04-18
Title
eCommerce Product Catalog Plugin for WordPress < 3.3.33 - Reflected Cross-Site Scripting
Published
2025-01-06
Title
Bootstrap Blocks for WP Editor v2 < 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-04-28
Title
Countdown & Clock < 2.3.3 - Reflected Cross-Site Scripting
Published
2021-08-02
Title
SMS Alert Order Notifications – WooCommerce < 3.4.7 Authenticated Cross Site Scripting
Published
2026-01-16
Title
CM E-Mail Blacklist < 1.6.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'black_email' Parameter