WordPress Plugins: XSS via lightGallery <=2.8.3 (Contributor+ attacks)
CVE-2025-5092 Published on November 20, 2025

Multiple Plugins and Themes <= (Various Versions) - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via lightGallery JavaScript Library
Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

NVD

Timeline

Vendor Notified

Disclosed 161 days later.

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2025-5092 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2025-5092

Want to know whenever a new CVE is published for WordPress? stack.watch will email you.

WordPress
 

Affected Versions

lightgalleryteam LightGallery WP: tplugins TP WooCommerce Product Gallery: vowelweb Ibtana – WordPress Website Builder: wproyal Royal Addons for Elementor – Addons and Templates Kit for Elementor: wpsofts Portfolio, Gallery, Product Catalog – Grid KIT Portfolio: famethemes OnePress: galaxyweblinks Gallery with thumbnail slider: wpkin Image Hover Effects Ultimate:

Exploit Probability

EPSS
0.05%
Percentile
16.72%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.