CVE-2026-1430 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the WP Lightbox 2 plugin for WordPress, affecting versions prior to 3.0.7. The vulnerability stems from the plugin's failure to properly sanitize and escape certain settings inputs, which are stored and later rendered in the WordPress admin or front-end interface. This flaw allows users with high privileges, such as administrators, to inject malicious JavaScript code that persists within the application. Notably, this vulnerability can be exploited even when the unfiltered_html capability is disabled, a common security restriction in multisite WordPress environments, thereby broadening the attack surface. The CVSS 3.1 base score is 4.8 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and high privileges, with user interaction needed. The impact primarily affects confidentiality and integrity, as the injected scripts could steal sensitive information or manipulate site content. There is no indication of availability impact. No public exploits have been reported yet, but the vulnerability's presence in a widely used WordPress plugin makes it a potential target for attackers aiming to compromise administrative accounts or site integrity. The vulnerability was reserved in January 2026 and published in March 2026, with no patch links provided in the source data, indicating users should verify plugin updates or apply manual mitigations.

The vulnerability allows high privilege users to inject persistent malicious scripts, which can lead to unauthorized actions such as stealing cookies, session tokens, or performing actions on behalf of administrators. This compromises the confidentiality and integrity of the WordPress site and its data. Although exploitation requires admin-level access, the ability to bypass unfiltered_html restrictions in multisite setups increases risk in complex WordPress environments. Organizations relying on WP Lightbox 2 may face defacement, data leakage, or further pivoting attacks if attackers gain admin credentials. The absence of known exploits reduces immediate risk, but the vulnerability could be leveraged in targeted attacks or insider threats. The impact is limited to sites using vulnerable plugin versions and having multiple administrators or editors with elevated privileges.

Administrators should immediately update WP Lightbox 2 to version 3.0.7 or later where this vulnerability is fixed. If an update is not immediately possible, restrict administrative access strictly to trusted users and audit user privileges to minimize risk. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections in plugin settings. Regularly review and sanitize all user inputs, especially in plugins that store and render settings. For multisite WordPress installations, consider additional hardening such as disabling unnecessary plugins and enforcing strict content security policies (CSP) to limit script execution. Monitor logs for unusual administrative activity or script injections. Finally, maintain regular backups to enable recovery in case of compromise.