CVE-2025-54051

Vulnerability

Overview

CVE-2025-54051 is a stored Cross-Site Scripting (XSS) vulnerability found in the bPlugins LightBox Block WordPress plugin (versions up to and including 1.1.30). The vulnerability arises from improper neutralization of input during web page generation, enabling an attacker to inject arbitrary web scripts or HTML into pages. The plugin fails to sanitize user-supplied data before storing it, which later gets executed in the context of a visitor's browser when the page is loaded [1].

Exploitation

Conditions

Exploitation of this stored XSS vulnerability requires an authenticated user with sufficient privileges (e.g., an author or editor role) to submit malicious input. The attacker does not need to socially engineer the victim; rather, the injected script automatically executes for any user who views the compromised page. This makes it particularly suitable for mass-exploitation campaigns targeting thousands of WordPress sites simultaneously [1].

Impact

Successful exploitation allows an attacker to perform arbitrary actions such as redirecting visitors to malicious sites, injecting advertisements, stealing session cookies, or defacing the website. The CVSS v3 score of 6.5 reflects a medium severity impact, where user interaction is required for initial injection, but no further user action is needed for the payload to execute on subsequent page loads [1].

Mitigation

The vulnerability has been patched in version 1.1.31 of the LightBox Block plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins to expedite remediation. If an immediate update is not possible, website administrators should temporarily disable the plugin or implement a web application firewall rule to block malicious input [1].