The WP SexyLightBox plugin for WordPress contains a CSRF vulnerability that enables stored XSS attacks. This affects all versions up to 0.5.3. The vulnerability allows attackers to trick authenticated users into submitting unauthorized requests, which can result in malicious scripts being stored and executed within the application context. The CVSS 3.1 base score is 7.1, reflecting high severity due to network accessibility, low complexity, and impacts on confidentiality, integrity, and availability. No patch or vendor advisory is currently provided, and no exploits are known in the wild.

Successful exploitation can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of affected users, potentially leading to data theft, session hijacking, or other malicious actions. The CSRF aspect means attackers can induce authenticated users to perform unintended actions. The overall impact affects confidentiality, integrity, and availability to a limited extent as per the CVSS vector.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider disabling the WP SexyLightBox plugin or restricting its use to trusted environments. Applying standard WordPress security best practices may help reduce risk, but no specific official fix or temporary workaround is currently documented.