CVE-2025-15386: WordPress Lightbox Plugin XSS Vulnerability

CVE-2025-15386 Overview

CVE-2025-15386 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Responsive Lightbox & Gallery WordPress plugin prior to version 2.6.1. This vulnerability allows unauthenticated attackers to inject malicious scripts through WordPress comments when the lightbox functionality for comments is enabled. The flaw originates from inadequate regex replacement rules used for processing comment content, enabling attackers to bypass input sanitization and inject persistent malicious payloads.

Critical Impact

Unauthenticated attackers can execute arbitrary JavaScript in the browsers of site visitors and administrators, potentially leading to session hijacking, credential theft, website defacement, or malware distribution through legitimate WordPress sites.

Affected Products

• Responsive Lightbox & Gallery WordPress plugin versions prior to 2.6.1
• WordPress installations with lightbox for comments feature enabled
• Sites that allow and approve user comments containing links

Discovery Timeline

• 2026-02-24 - CVE-2025-15386 published to NVD
• 2026-02-24 - Last updated in NVD database

Technical Details for CVE-2025-15386

Vulnerability Analysis

This Stored XSS vulnerability exists due to improper input validation in the plugin's comment processing functionality. When the lightbox feature for comments is enabled, the plugin applies regex replacement rules to transform links in approved comments into lightbox-compatible elements. These regex patterns fail to adequately sanitize malicious input, allowing attackers to craft specially constructed links that bypass the sanitization process and inject executable JavaScript code.

The attack requires no authentication, making it particularly dangerous for public-facing WordPress sites that allow comment submissions. Once a malicious comment is approved by a site administrator, the stored XSS payload executes in the browser of any user viewing the affected page, including administrators with elevated privileges.

Root Cause

The vulnerability stems from flawed regex replacement rules in the plugin's comment processing logic. The regex patterns used to identify and transform links fail to account for certain edge cases and malicious input patterns. Attackers can abuse these gaps to inject JavaScript payloads that survive the transformation process and render as executable code in the browser.

Attack Vector

The attack follows a network-based vector requiring minimal user interaction. An attacker submits a comment containing a maliciously crafted link to a target WordPress post or page. The attack flow proceeds as follows:

1. Attacker identifies a WordPress site using Responsive Lightbox & Gallery plugin with comments enabled
2. Attacker crafts a comment containing a malicious link designed to exploit the flawed regex replacement
3. Comment is submitted and awaits moderator approval
4. Once approved, the malicious payload is stored in the database
5. Any visitor viewing the page triggers the XSS payload execution

The vulnerability can be exploited to steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or inject cryptocurrency miners and other malicious scripts.

Detection Methods for CVE-2025-15386

Indicators of Compromise

• Unusual JavaScript execution patterns in approved WordPress comments
• Comments containing obfuscated or encoded link structures that appear suspicious
• Browser console errors or unexpected script executions on pages with comments enabled
• Reports from users experiencing unexpected redirects or pop-ups when viewing comments

Detection Strategies

• Review approved comments for suspicious link patterns, particularly those with unusual encoding or nested structures
• Monitor web application logs for comment submissions containing potential XSS payloads
• Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
• Deploy web application firewall (WAF) rules to identify and block common XSS attack patterns in comment submissions

Monitoring Recommendations

• Enable verbose logging for comment submissions and approvals in WordPress
• Configure security plugins to alert on potential XSS patterns in user-submitted content
• Monitor browser-side errors and script execution anomalies using client-side telemetry
• Regularly audit approved comments for suspicious content patterns

How to Mitigate CVE-2025-15386

Immediate Actions Required

• Update Responsive Lightbox & Gallery plugin to version 2.6.1 or later immediately
• Temporarily disable the lightbox for comments feature until the patch is applied
• Review and audit all previously approved comments for potentially malicious content
• Consider temporarily disabling comments on affected sites until remediation is complete

Patch Information

The vulnerability is addressed in Responsive Lightbox & Gallery version 2.6.1. Site administrators should update the plugin through the WordPress dashboard or by downloading the latest version from the WordPress plugin repository. For detailed vulnerability information, refer to the WPScan Vulnerability Details.

Workarounds

• Disable the "Lightbox for comments" feature in the plugin settings until the update can be applied
• Implement strict comment moderation policies and carefully review all links in comments before approval
• Deploy a Web Application Firewall (WAF) with rules to filter potential XSS payloads in comment submissions
• Consider using a security plugin that sanitizes comment content before storage

To disable the lightbox for comments feature, navigate to the plugin settings in your WordPress dashboard (Settings > Responsive Lightbox) and ensure the comments lightbox option is disabled. Additionally, consider implementing Content Security Policy headers to mitigate the impact of any stored XSS payloads:

# Apache - Add to .htaccess or virtual host configuration
Header set Content-Security-Policy "script-src 'self'; object-src 'none';"