ByteOS Network

Woostify

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-4805

Assigner-Wordfence

View Details

Assigner-Wordfence

CVSS Score-6.4||MEDIUM

EPSS-0.04% / 12.04%

7 Day CHG~0.00%

Published-28 Apr, 2026 | 06:45

Updated-28 Apr, 2026 | 20:26

Woostify <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lity.js Library via data-lity Attribute in Custom HTML Block

The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated directly into a jQuery HTML string without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendor-duongancol

Product-Woostify

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-60101

Assigner-Patchstack

View Details

Assigner-Patchstack

CVSS Score-5.9||MEDIUM

EPSS-0.03% / 7.67%

7 Day CHG-0.00%

Published-26 Sep, 2025 | 08:31

Updated-28 Apr, 2026 | 16:13

WordPress Woostify Theme <= 2.4.2 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in duongancol Woostify woostify allows Stored XSS.This issue affects Woostify: from n/a through <= 2.4.2.

Vendor-duongancol

Product-Woostify

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')