CVE-2025-15386

The Responsive Lightbox & Gallery WordPress plugin before version 2.6.1 is vulnerable to an unauthenticated stored cross-site scripting (XSS) attack. The root cause is flawed regex replacement rules in the plugin's handling of links within comments when the lightbox feature for comments is enabled. An attacker can inject a malicious link into a comment, and once the comment is approved, the flawed regex fails to properly sanitize the input, leading to persistent XSS [1].

To exploit this vulnerability, an attacker does not need authentication; they can simply post a comment containing a specially crafted link. The attack requires that the site administrator has enabled the lightbox functionality for comments and that the comment is subsequently approved. The attacker's payload is then stored and executed in the context of any user viewing the page containing the malicious comment [1].

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browsers of visitors, potentially leading to session hijacking, defacement, or redirection to malicious sites. The impact is significant because the attack is unauthenticated and stored, affecting all users who view the compromised page [1].

The vulnerability has been fixed in version 2.6.1 of the plugin. Users are strongly advised to update to the latest version immediately. No workaround is provided other than disabling the comment lightbox feature or upgrading [1].