Responsive Lightbox2 < 1.0.3 – Authenticated Stored Cross-Site Scripting

Description

The ‘hyperlink’ field in used while linking an image from a URL was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using Responsive Lightbox2 version 1.0.2 and below are affected

Proof of Concept

[lightbox2 url="http://example.com/wp-content/uploads/images/lightbox.jpg" hyperlink="<script>alert(0)</script>"]

Affects Plugins

responsive-lightbox2

Fixed in 1.0.3

References

URL

https://packetstormsecurity.com/files/#158879/

URL

https://melbin.in/2020/08/14/stored-xss-vulnerability-in-wordpress-responsive-lightbox2-plugin/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.5 (low)

Miscellaneous

Original Researcher

Melbin K Mathew

Verified

Yes

WPVDB ID

8024d714-1ecb-4820-9593-8d04748aef76

Timeline

Publicly Published

2020-08-17 (about 5 years ago)

Added

2020-08-17 (about 5 years ago)

Last Updated

2020-08-19 (about 5 years ago)

Other

Published

Title

Published

2017-07-20

Title

Arabic Font - CSRF & Stored XSS

Published

2024-05-10

Title

Falang multilanguage for WordPress < 1.3.50 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-12-25

Title

Content Grid Slider <= 1.5 - Reflected Cross-Site Scripting

Published

2025-01-16

Title

GoogleMapper <= 2.0.3 - Reflected Cross-Site Scripting

Published

2022-08-31

Title

Image Hover Effects Ultimate < 9.8.0 - Authenticated Stored XSS