CVE-2025-49397

The Colorbox Lightbox plugin for WordPress (wp-colorbox) versions up to and including 1.1.5 contain a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript or HTML into the plugin's output, which is then stored and executed when other users view the affected page.

Exploitation requires the attacker to have at least contributor-level access to the WordPress site, and successful execution depends on a privileged user (such as an administrator) performing an action like clicking a link or viewing a crafted page [1]. The injected payload can include malicious scripts that redirect visitors, display unwanted advertisements, or steal session cookies.

The impact is limited to stored XSS within the WordPress context, allowing the attacker to compromise the integrity of the site's content and potentially escalate privileges if an administrator views the malicious content. The CVSS v3 score is 6.5 (Medium), reflecting the need for authenticated access and user interaction [1].

The vulnerability is patched in version 1.1.6, released by the plugin author. Users are strongly advised to update immediately or enable auto-updates for vulnerable plugins via Patchstack [1]. No workaround is available beyond updating.