CVE-2025-58784

Vulnerability

Overview The ARI Fancy Lightbox plugin for WordPress versions up to and including 1.4.0 suffers from a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw allows attackers with sufficient privileges to inject arbitrary HTML and JavaScript code into the plugin's output, which is then executed when other users visit affected pages.

Exploitation

Attack Surface Exploitation requires a privileged user (e.g., editor or administrator) to be tricked into performing an action such as clicking a malicious link or submitting a crafted form. Once the malicious script is stored, any visitor to the compromised site will execute the injected payload. The attack can be initiated remotely without authentication, but user interaction from a privileged role is necessary to plant the payload.

Impact

Successful exploitation enables an attacker to perform actions like redirecting users to malicious sites, displaying unauthorized advertisements, or stealing sensitive information like session cookies. The CVSS v3 base score of 6.5 (Medium) reflects the potential for partial compromise of confidentiality and integrity.

Mitigation

The vendor has released version 1.4.1 which fixes the vulnerability. Users are strongly advised to update immediately. For sites where updating is not immediately possible, applying a Web Application Firewall (WAF) rule to sanitize plugin-related inputs may serve as a temporary workaround. The vulnerability is considered low likelihood of exploitation but is actively monitored by Patchstack [1].