The Multi Functional Flexi Lightbox plugin for WordPress, versions up to and including 1.2, contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2026-3347. The root cause is insufficient sanitization of user input in the 'arv_lb[message]' parameter. Specifically, the sanitize callback function 'arv_lb_options_val()' returns user input without proper sanitization, and the stored message is output in the 'genLB()' function without escaping. This flaw allows an authenticated attacker with administrator privileges to inject arbitrary JavaScript code into the lightbox content. When any user accesses a page or post with the lightbox enabled, the malicious script executes in their browser context. The vulnerability does not require user interaction to trigger once the payload is stored. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, high privileges required, no user interaction, scope changed, and limited confidentiality and integrity impact without affecting availability. Although no public exploits are known, the persistent nature of stored XSS poses risks such as session hijacking, unauthorized actions on behalf of users, and potential defacement or malware distribution. The vulnerability affects all versions of the plugin up to 1.2, and no official patches have been linked yet.

This vulnerability allows attackers with administrator access to inject persistent malicious scripts into WordPress sites using the Multi Functional Flexi Lightbox plugin. The impact includes potential theft of user session cookies, enabling attackers to impersonate users or administrators, leading to privilege escalation or unauthorized actions. It can also facilitate website defacement, phishing, or malware distribution by injecting malicious payloads into trusted pages. Since the vulnerability affects all users visiting pages with the lightbox enabled, it can compromise the confidentiality and integrity of user data. However, availability is not impacted. Organizations relying on this plugin risk reputational damage, data breaches, and loss of user trust if exploited. The requirement for administrator privileges limits exploitation to insiders or compromised accounts but does not eliminate risk, especially in environments with multiple administrators or weak credential management.

Organizations should immediately audit their WordPress installations to identify the presence of the Multi Functional Flexi Lightbox plugin and verify the version in use. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate exposure. If continued use is necessary, restrict administrator access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of account compromise. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'arv_lb[message]' parameter. Additionally, review and sanitize all stored content from the plugin database entries manually if possible. Monitor logs for unusual administrator activities and conduct regular security audits. Once a patch becomes available, apply it promptly. Educate administrators about the risks of injecting untrusted content and enforce the principle of least privilege to limit the number of users with high-level access.