Firelight Lightbox < 2.3.16 – Contributor+ Stored XSS | CVE 2025-5035 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape title attributes before outputting them in the page, which could allow users with a role as low as contributors to perform stored Cross-Site Scripting attacks.

Proof of Concept

1. As an admin, browse to /wp-admin/admin.php?page=firelight-settings and enable the "Enable for Images" option in "FancyBox Classic: Enable".
2. As an author create a new post containing this HTML:
`<a title="&lt;img src=x onerror=&quot;alert()&quot;&gt;" href="https://upload.wikimedia.org/wikipedia/commons/4/4b/Rufous_Breasted_Accentor_Male.jpg">Click me</a>`
3. If another user clicks the link, the JS is executed.

Affects Plugins

Fixed in 2.3.16

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Pierre Rudloff

Submitter

Pierre Rudloff

Verified

Yes

WPVDB ID

5dca30af-4624-4a71-93be-00fa8dc00c97

Timeline

Publicly Published

2025-06-06 (about 6 months ago)

Added

2025-06-06 (about 6 months ago)

Last Updated

2025-06-06 (about 6 months ago)

Other

Published

Title

Published

2024-07-09

Title

Send email only on Reply to My Comment <= 1.0.6 - Stored XSS via CSRF

Published

2022-03-07

Title

Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS

Published

2022-05-12

Title

WordPress Forms by Pie Forms < 1.4.9.4 - Admin+ Stored Cross-Site Scripting

Published

2025-01-14

Title

Image Gallery – Responsive Photo Gallery < 2.1 - Reflected Cross-Site Scripting

Published

2023-11-15

Title

Ajax Domain Checker <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting