Executive Summary

CVE-2025-9710 is a Stored Cross-Site Scripting (XSS) vulnerability in the Responsive Lightbox & Gallery WordPress plugin versions before 2.5.3. It occurs because the plugin does not properly sanitize HTML tag attributes in comments, allowing unauthenticated attackers to inject malicious JavaScript code via event handler attributes. When a crafted comment is approved and viewed, the malicious script executes in the context of users viewing the comment. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthenticated attackers to execute arbitrary JavaScript code in the browsers of users who view the affected comments. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information, compromising the security and integrity of the affected website and its users. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Responsive Lightbox & Gallery WordPress plugin is installed and if its version is prior to 2.5.3. Additionally, you can look for comments containing suspicious HTML anchor tags with event handler attributes (e.g., onfocus, onclick) that could trigger JavaScript execution. Since the injected links appear normal during moderation, manual inspection of comments or automated scanning for event handler attributes in comment content is recommended. There are no specific network commands provided, but inspecting the plugin version and comment content on the WordPress site is key. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Responsive Lightbox & Gallery WordPress plugin to version 2.5.3 or later, where the issue has been fixed. Additionally, disable the "Enable lightbox for comments content" option in the plugin settings if updating is not immediately possible. Review and moderate comments carefully to prevent malicious scripts from being executed until the patch is applied. [1]

Useful 0 Not Useful 0