Home

Description

The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved.

PUBLISHED Reserved 2025-12-31 | Published 2026-02-24 | Updated 2026-02-24 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status
unaffected

1.7.0 (semver) before 2.6.1
affected

Credits

Matthew Rollings finder

WPScan coordinator

References

wpscan.com/...rability/fa3a84b6-6d5d-4e10-8587-ae49c127483b/ exploit vdb-entry technical-description

cve.org (CVE-2025-15386)

nvd.nist.gov (CVE-2025-15386)

Download JSON