LightPress Lightbox < 2.3.4 – Contributor+ Stored XSS | CVE 2025-3649 | Plugin Vulnerabilities

Description

The plugin does not check download links point to valid, non-Javascript URLs, allowing users with at least the contributor role to conduct Stored XSS attacks.

Proof of Concept

As a contributor, create a new post containing this HTML while in code editor mode:
<a data-download="javascript:alert(document.domain)" href="https://upload.wikimedia.org/wikipedia/commons/4/4b/Rufous_Breasted_Accentor_Male.jpg">Click me</a>

If an administrator previews the post, clicks on the link to open the image dialog then clicks the "Download" link in the dialog, the malicious JS is executed.

Affects Plugins

wp-jquery-lightbox

Fixed in 2.3.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Pierre Rudloff

Submitter

Pierre Rudloff

Verified

Yes

WPVDB ID

37fb7f3b-1766-4c2c-9b78-f77f15a04476

Timeline

Publicly Published

2025-04-21 (about 8 months ago)

Added

2025-04-21 (about 8 months ago)

Last Updated

2025-04-21 (about 8 months ago)

Other

Published

Title

Published

2018-12-13

Title

WordPress <= 5.0 - File Upload to XSS on Apache Web Servers

Published

2017-08-21

Title

Liveforms < 3.4.0 - XSS

Published

2024-09-23

Title

Photo Gallery by 10Web < 1.8.28 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2022-09-15

Title

CPO Shortcodes <= 1.5.0 - Admin+ Stored XSS

Published

2023-08-21

Title

FTP Access <= 1.0 - Subscriber+ Stored XSS