Medium severity5.4NVD Advisory· Published Nov 19, 2025· Updated Apr 15, 2026
CVE-2025-12359
CVE-2025-12359
Description
The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.3 via the 'get_image_size_by_url' function. This is due to insufficient validation of user-supplied URLs when determining image dimensions for gallery items. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
Affected products
1- Range: <=2.5.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/class-fast-image.phpnvd
- plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/class-frontend.phpnvd
- plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/class-galleries.phpnvd
- plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/functions.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- research.cleantalk.org/cve-2025-12359nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/7f4c0bd6-f289-4a52-ac11-345076c32d84nvd
News mentions
0No linked articles in our index yet.