CVE-2025-9710
BaseFortify
Publication date: 2025-10-06
Last updated on: 2025-10-06
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| responsive_lightbox_and_gallery | responsive_lightbox_and_gallery | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9710 is a Stored Cross-Site Scripting (XSS) vulnerability in the Responsive Lightbox & Gallery WordPress plugin versions before 2.5.3. It occurs because the plugin does not properly sanitize HTML tag attributes in comments, allowing unauthenticated attackers to inject malicious JavaScript code via event handler attributes. When a crafted comment is approved and viewed, the malicious script executes in the context of users viewing the comment. [1]
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to execute arbitrary JavaScript code in the browsers of users who view the affected comments. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information, compromising the security and integrity of the affected website and its users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Responsive Lightbox & Gallery WordPress plugin is installed and if its version is prior to 2.5.3. Additionally, you can look for comments containing suspicious HTML anchor tags with event handler attributes (e.g., onfocus, onclick) that could trigger JavaScript execution. Since the injected links appear normal during moderation, manual inspection of comments or automated scanning for event handler attributes in comment content is recommended. There are no specific network commands provided, but inspecting the plugin version and comment content on the WordPress site is key. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Responsive Lightbox & Gallery WordPress plugin to version 2.5.3 or later, where the issue has been fixed. Additionally, disable the "Enable lightbox for comments content" option in the plugin settings if updating is not immediately possible. Review and moderate comments carefully to prevent malicious scripts from being executed until the patch is applied. [1]