CVE-2025-15386
Stored XSS in Responsive Lightbox & Gallery WordPress Plugin
Publication date: 2026-02-24
Last updated on: 2026-02-24
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| responsive_lightbox_and_gallery | responsive_lightbox_and_gallery | to 2.6.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-15386 is an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability found in the WordPress plugin Responsive Lightbox & Gallery versions before 2.6.1.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs due to flawed regular expression replacement rules that allow an attacker to post a malicious comment containing a specially crafted link when the "Enable lightbox for comments content" setting is enabled.'}, {'type': 'paragraph', 'content': 'When an administrator approves such a comment, the malicious JavaScript embedded in the comment executes whenever the comment is viewed, leading to stored XSS.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of the website when an administrator approves a malicious comment.
The impact includes potential theft of administrator session cookies, defacement, redirection to malicious sites, or other malicious actions that can compromise the security and integrity of the affected website.
Because the attack is stored and triggers when comments are viewed, it can affect multiple users and persist until the malicious comment is removed or the plugin is updated.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting comments posted on a WordPress site using the Responsive Lightbox & Gallery plugin prior to version 2.6.1, especially when the "Enable lightbox for comments content" setting is enabled.'}, {'type': 'paragraph', 'content': 'Look for comments containing suspicious or malformed HTML anchor tags with unusual attributes such as onfocus event handlers that could trigger JavaScript execution.'}, {'type': 'paragraph', 'content': 'For example, you can search the WordPress database comments table for entries containing suspicious payloads similar to the following pattern:'}, {'type': 'list_item', 'content': "Use a SQL query to find comments with potentially malicious links: SELECT * FROM wp_comments WHERE comment_content LIKE '%onfocus=%';"}, {'type': 'list_item', 'content': "Alternatively, use command line tools to scan exported comment data for suspicious patterns, e.g., grep -i 'onfocus=' comments_export.txt"}, {'type': 'paragraph', 'content': 'Since the attack requires an approved comment with a malicious link, reviewing recently approved comments for unusual HTML attributes can help detect exploitation.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to update the Responsive Lightbox & Gallery WordPress plugin to version 2.6.1 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If updating immediately is not possible, temporarily disable the "Enable lightbox for comments content" setting to prevent the vulnerability from being exploitable.'}, {'type': 'paragraph', 'content': 'Additionally, review and remove any suspicious or untrusted comments that may contain malicious payloads, especially those with unusual HTML attributes like onfocus event handlers.'}, {'type': 'paragraph', 'content': 'Ensure that only trusted users can approve comments to reduce the risk of stored XSS attacks.'}] [1]