EIP-2026-104496

PRE-CVE

WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104496. PoCs published by n1x_.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in WordPress Plugin Colorbox Lightbox v1.1.1 due to improper input sanitization in the 'hyperlink' field of the plugin shortcode. The PoC provides example payloads that execute arbitrary JavaScript when injected into a post.

Description

WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)

Exploits (1)

exploitdb WORKING POC

by n1x_ · textwebappsmultiple

https://www.exploit-db.com/exploits/48919

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in WordPress Plugin Colorbox Lightbox v1.1.1 due to improper input sanitization in the 'hyperlink' field of the plugin shortcode. The PoC provides example payloads that execute arbitrary JavaScript when injected into a post.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin Colorbox Lightbox v1.1.1

Auth required

Prerequisites: WordPress installation with Colorbox Lightbox plugin v1.1.1 · User privileges to write and publish posts

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026