CVE-2025-5093
BaseFortify
Publication date: 2025-06-27
Last updated on: 2025-07-01
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dfactory | responsive_lightbox | to 2.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5093 is a Stored Cross-Site Scripting (XSS) vulnerability in the Responsive Lightbox & Gallery WordPress plugin versions before 2.5.2. The plugin uses the Swipebox library, which does not properly validate and escape title attributes before displaying them on pages or posts. This allows users with Contributor role or higher to inject malicious JavaScript code that gets stored and executed when other users view the affected content. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor or higher privileges to inject malicious JavaScript code into posts or pages. When other users view this content, the malicious code executes in their browsers, potentially leading to session hijacking, data theft, or other malicious actions. This compromises the security and integrity of the affected website and its users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if the Responsive Lightbox & Gallery WordPress plugin version is prior to 2.5.2 and if the Swipebox library is set as the default lightbox. Additionally, you can test for the vulnerability by creating a post as a Contributor user with a crafted title attribute containing a script payload, such as: <a title="<img src=x onerror=\"alert()\">" href="https://www.youtube.com/watch?v=_aLoX-OgoX8">Click me</a>. If the alert executes when viewing the post, the vulnerability is present. There are no specific network commands provided, but checking plugin version and testing with crafted posts are the suggested methods. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Responsive Lightbox & Gallery WordPress plugin to version 2.5.2 or later, where the vulnerability has been fixed. Additionally, restrict Contributor role users from adding untrusted HTML content or disable the Swipebox lightbox setting until the update is applied. [1]