CVE-2024-6870
The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping affecting the rl_upload_image AJAX endpoint. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the 3gp2 file.
| Software | From | Fixed in |
|---|---|---|
| dfactory / responsive_lightbox | - | 2.4.8 |
- https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.4.7/includes/class-remote-library.php#L261
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3137531%40responsive-lightbox&new=3137531%40responsive-lightbox&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/responsive-lightbox/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e4d55309-d178-4b3d-9de6-2cf2769b76fe?source=cve
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime