Responsive Lightbox & Gallery < 2.5.3 – Unauthenticated Stored-XSS via Comments | CVE 2025-9710 | Plugin Vulnerabilities

Description

The plugin does not properly handle HTML tag attributes modifications, potentially allowing unauthenticated attackers to abuse the functionality to include event handlers and conduct Stored XSS attacks.

Proof of Concept

1. Install and activate the `responsive-lightbox` plugin
2. Check **Enable lightbox for comments content** from the settings `/wp-admin/admin.php?page=responsive-lightbox-settings`
3. As an unauthenticated user, create a comment with the following content:
```
<a href="abc=123 data-rl_content='title' data-rel=" title=" tabindex=1 autofocus onfocus=alert(1) abc" rel="nofollow ugc">stealthcopter</a>
```
4. Observe JavaScript execution when the comment is approved and viewed. Note that link in the comment appears totally normal in moderation.

Affects Plugins

responsive-lightbox

Fixed in 2.5.3

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Matthew Rollings

Submitter

Matthew Rollings

Submitter website

https://sec.stealthcopter.com

Submitter twitter

Verified

Yes

WPVDB ID

a45c74b7-b174-479f-9681-464601b082df

Timeline

Publicly Published

2025-09-15 (about 3 months ago)

Added

2025-09-15 (about 3 months ago)

Last Updated

2025-09-15 (about 3 months ago)

Other

Published

Title

Published

2024-12-23

Title

shMapper by Teplitsa < 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-06-12

Title

Telegram for WP <= 1.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2024-06-19

Title

Page Builder: Live Composer < 1.5.43 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-05-03

Title

UserAgent-Spy <= 1.3.1 - Admin+ Stored XSS

Published

2024-10-15

Title

Community by PeepSo < 6.4.6.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting