WordPress Multiple Plugins Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in multiple WordPress plugins, including NextGEN Gallery and SimpleLightbox. This issue arises from inadequate input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level access or higher to inject arbitrary scripts. The vulnerability is present in pages that execute the injected scripts when accessed by users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Remediation

Users of NextGEN Gallery should update to version 3.59.5 or a newer patched version. For SimpleLightbox, no patch is currently available. It is recommended to review the vulnerability details and consider uninstalling the affected software.