CVE-2025-5092
MEDIUMLightGallery WP <1.0.5 - Authenticated Stored Cross-Site Scripting via lightGallery Library
Title source: llmDescription
Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References (7)
Core 7
Core References
Various Sources
https://github.com/sachinchoolur/lightGallery
Scores
CVSS v3
6.4
EPSS
0.0021
EPSS Percentile
11.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (9)
famethemes/OnePress
< 2.3.16
galaxyweblinks/Gallery with thumbnail slider
< 7.8
lightgalleryteam/LightGallery WP
< 1.0.5
oxilab/Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier )
< 9.10.5
tplugins/TP WooCommerce Product Gallery
< 1.1.9
vowelweb/Ibtana – WordPress Website Builder
< 1.2.5.1
wpkin/Image Hover Effects Ultimate
< 9.10.5
wproyal/Royal Addons for Elementor – Addons and Templates Kit for Elementor
< 1.7.1031
wpsofts/Portfolio, Gallery, Product Catalog – Grid KIT Portfolio
< 2.2.1
Published
Nov 20, 2025
Tracked Since
Feb 18, 2026