WP Lightbox 2 < 3.0.6.8 – Unauthenticated Stored XSS | CVE 2025-3745 | Plugin Vulnerabilities

Description

The plugin does not correctly sanitize the value of the title attribute of links before using them, which may allow malicious users to conduct XSS attacks.

Proof of Concept

1. Activate the plugin.
2. Make sure comments are opened to visitors on the site
3. Post a comment using the following HTML:

<a title="&lt;img src=x onerror=&quot;alert(123)&quot;" href="https://upload.wikimedia.org/wikipedia/commons/4/4b/Rufous_Breasted_Accentor_Male.jpg">Click me</a>

If another user clicks the link in the comment, the malicious JS is executed.

This can also be used in posts, if the attacker has a contributor or author account.

Affects Plugins

Fixed in 3.0.6.8

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Pierre Rudloff

Submitter

Pierre Rudloff

Verified

Yes

WPVDB ID

1b50f686-c2e0-4963-95c8-b27137dcc059

Timeline

Publicly Published

2025-06-09 (about 7 months ago)

Added

2025-06-09 (about 6 months ago)

Last Updated

2025-06-09 (about 6 months ago)

Other

Published

Title

Published

2024-09-30

Title

WPMobile.App < 11.51 - Reflected Cross-Site Scripting

Published

2025-04-01

Title

LeadQuizzes <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-24

Title

Simple File List < 6.1.13 - Reflected Cross-Site Scripting

Published

2020-07-27

Title

CarePlus <= 1.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2024-04-05

Title

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor < 3.9.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Youtube Block