Multi Functional Flexi Lightbox Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Multi Functional Flexi Lightbox plugin for WordPress, affecting all versions through 1.2. The issue arises from inadequate input sanitization and output escaping, allowing authenticated attackers with Administrator access to inject arbitrary scripts. The vulnerability is exploited via the 'arv_lb[message]' parameter, with the injected scripts executed when a user views a page or post with the lightbox enabled.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page or post.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can inject scripts through the 'arv_lb[message]' parameter in the plugin's settings. The injected script will be executed when a page or post with the lightbox feature is accessed.