Responsive Lightbox & Gallery < 2.6.1 – Unauthenticated Stored XSS | CVE 2025-15386 | Plugin Vulnerabilities

Description

The plugin is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved.

Proof of Concept

1. Check "Enable lightbox for comments content" from the settings: /wp-admin/admin.php?page=responsive-lightbox-settings

2. As an unauthenticated user, create a comment on any post/page with the following content:

<a href="abc=123.bmp' data-rl_content='title' data-rel=" title=" tabindex=1 autofocus onfocus=alert(1) abc" rel="nofollow ugc">stealthcopter</a>

3. As an admin, approve the comment.

4. Observe JavaScript execution when the comment is viewed.

Affects Plugins

responsive-lightbox

Fixed in 2.6.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Matthew Rollings

Submitter

Matthew Rollings

Submitter website

https://sec.stealthcopter.com

Submitter twitter

Verified

Yes

WPVDB ID

fa3a84b6-6d5d-4e10-8587-ae49c127483b

Timeline

Publicly Published

2026-02-03 (about 21 days ago)

Added

2026-02-03 (about 21 days ago)

Last Updated

2026-02-03 (about 21 days ago)

Other

Published

Title

Published

2021-08-13

Title

Moova for WooCommerce < 3.8 - Reflected Cross-Site Scripting

Published

2025-06-23

Title

Off-Canvas Sidebars & Menus (Slidebars) < 0.5.8.5 - Reflected Cross-Site Scripting

Published

2025-12-04

Title

CoSign Single Signon <= 0.3.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

Published

2022-05-31

Title

Automatic Domain Changer < 2.0.3 - Reflected Cross-Site Scripting

Published

2025-11-10

Title

GitHub Gist Shortcode Plugin <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting