CVE-2024-5020

Published: Dec 4, 2024

Modified: Apr 8, 2026

PUBLISHED

CVSS v3.1

6.4

MEDIUM

Description

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendor	Product	Versions
extendthemes	Colibri Page Builder	affected `0 - <= 1.0.286`
smub	Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More	affected `0 - <= 1.8.15`
bqworks	Accordion Slider	affected `0 - <= 1.9.12`
10web	Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder	affected `0 - <= 1.15.27`
jetmonsters	Getwid – Gutenberg Blocks	affected `0 - <= 2.0.11`
firelightwp	Firelight Lightbox	affected `0 - <= 2.3.3`
dfactory	Responsive Lightbox & Gallery	affected `0 - <= 2.4.8`
shapedplugin	Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel	affected `0 - <= 2.6.8`
colorlibplugins	FancyBox for WordPress	affected `0 - <= 3.3.4`
nko	Visual Portfolio, Photo Gallery & Post Grid	affected `0 - <= 3.3.9`
smub	Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery	affected `0 - <= 3.59.4`
wpclever	WPC Smart Quick View for WooCommerce	affected `0 - <= 4.1.1`
posimyththemes	Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder	affected `0 - <= 4.3.1`
Easy Social Feed	Easy Social Feed Premium	affected `0 - <= 6.6.2`
foliovision	FV Flowplayer Video Player	affected `0 - <= 7.5.47.7212`