Firelight Lightbox < 2.3.15 – Contributor+ Stored XSS | CVE 2025-3597

Description

The plugin does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled. While this feature is meant to only be available to Pro version users, it can be activated in the free version too, making it theoretically exploitable there as well.

Proof of Concept

1. To enable the vulnerable functionality, have an administrator account browse to /wp-admin/admin.php?page=firelight-settings and enable the "Include Metadata jQuery extension to allow passing custom parameters via link class." option in "FancyBox Classic: Miscellaneous". 

While the functionality is meant to be restricted to Pro users, simply using your browser's inspector tool and removing the `disabled="disabled"` attribute on the checkbox, checking the box, and saving the changes will work.

2. Next, as a contributor, create a new post containing this HTML block (while in code editor mode):
<a class="{title: '&lt;img src=x onerror=alert(document.domain)&gt;'}" href="https://upload.wikimedia.org/wikipedia/commons/4/4b/Rufous_Breasted_Accentor_Male.jpg">Click me</a>

3. Have another user preview the post, and click the link: the malicious JS is executed.