CVE-2025-15386 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Responsive Lightbox & Gallery WordPress plugin, specifically in versions prior to 2.6.1, including version 1.7.0. The vulnerability stems from flawed regular expression replacement logic used within the plugin's handling of comments when the lightbox feature for comments is enabled. An attacker can exploit this by submitting a comment containing a maliciously crafted link that bypasses the regex filters. Once the comment is approved by a moderator, the malicious script is persistently stored and executed in the browsers of users who view the comment, enabling an unauthenticated attacker to execute arbitrary JavaScript code in the context of the affected site. This can lead to theft of session cookies, redirection to malicious sites, or other client-side attacks. The vulnerability does not require authentication to submit the malicious comment but does require comment approval, which may limit exploitation to sites with less stringent moderation. No CVSS score has been assigned yet, and no known exploits are reported in the wild. The vulnerability is tracked under CWE-79, indicating a classic XSS issue. The plugin is widely used on WordPress sites that utilize image galleries with lightbox functionality, making the attack surface significant. The flaw highlights the risks of improper input sanitization and the importance of secure regex usage in web applications.

The impact of CVE-2025-15386 is significant for organizations running WordPress sites with the vulnerable Responsive Lightbox & Gallery plugin and enabled comment lightbox features. Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of site visitors, potentially leading to session hijacking, theft of sensitive user data, defacement of the website, or distribution of malware. This undermines user trust and can damage brand reputation. For e-commerce, financial, or sensitive information portals, the confidentiality and integrity of user data are at risk. The vulnerability can also be leveraged for phishing attacks by injecting deceptive content. Although exploitation requires comment approval, sites with lax moderation policies are particularly vulnerable. The availability of the site is less likely to be directly affected, but indirect impacts such as blacklisting by search engines or browsers due to malicious content can occur. Overall, the vulnerability poses a high risk to the confidentiality and integrity of affected websites and their users.

To mitigate CVE-2025-15386, organizations should immediately upgrade the Responsive Lightbox & Gallery plugin to version 2.6.1 or later, where the vulnerability is patched. If upgrading is not immediately possible, disable the lightbox feature for comments to prevent exploitation. Implement strict comment moderation policies to ensure that no untrusted or suspicious comments are approved. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads in comment submissions. Additionally, enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the site. Regularly audit and sanitize all user-generated content, especially in comment sections. Monitor logs for unusual comment submissions or script injections. Educate site administrators about the risks of approving comments without proper review. Finally, consider deploying security plugins that provide enhanced input validation and XSS protection.