CVE-2025-60124

Vulnerability

Overview

The Simple Colorbox WordPress plugin versions <= 1.6.1 suffer from a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input in web page generation [1]. This flaw enables an authenticated user with sufficient privileges to inject malicious web scripts into the plugin's output, which are then stored and executed in the browsers of unsuspecting visitors.

Exploitation

Details

An attacker who can interact with the vulnerable plugin — typically requiring at least contributor-level or higher WordPress role — can craft malicious payloads that bypass normal input sanitization. Once stored, the payload executes whenever a visitor loads a page that renders the injected content. User interaction is not required on the part of the victim; the attack is triggered automatically upon page load [1].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript, which can be used to redirect users to malicious websites, display intrusive advertisements, steal cookies or session tokens, or deface the target site. Because the XSS is stored, every visitor to the affected page is at risk, magnifying the potential reach of a campaign [1].

Mitigation

The vendor has not released a patched version; users of Simple Colorbox up to and including version 1.6.1 must update the plugin as soon as a fix becomes available. If unable to update immediately, site administrators should restrict contributor-level access to trusted users only and consider implementing a Web Application Firewall (WAF) to temporarily mitigate script injection until a permanent patch is applied [1].