CVE-2025-5537 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Lightbox & Modal Popup WordPress Plugin – FooBox, developed by bradvin. This vulnerability exists in all versions up to and including 2.7.34 due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of image alternative text fields. An attacker with authenticated Author-level privileges or higher can exploit this flaw by injecting malicious JavaScript code into the alt text of images managed by the plugin. Because the injected script is stored persistently, it executes whenever any user, including administrators or visitors, accesses the affected page containing the compromised image. The vulnerability leverages CWE-79, indicating improper input validation leading to script injection. The CVSS v3.1 base score is 6.4 (medium severity), with an attack vector of network (remote), low attack complexity, requiring privileges (Author-level), no user interaction, and a scope change, impacting confidentiality and integrity but not availability. Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk due to the widespread use of WordPress and the FooBox plugin for image display. Exploitation could lead to session hijacking, defacement, or further attacks on users visiting the compromised pages. The vulnerability is particularly dangerous because it requires only Author-level access, which is commonly granted to contributors and editors, potentially broadening the attacker base within a compromised WordPress environment.

For European organizations, this vulnerability can have serious consequences. Many European businesses and institutions rely heavily on WordPress for their websites, including e-commerce, government, education, and media sectors. An attacker exploiting this XSS flaw could steal session cookies or authentication tokens, leading to unauthorized access to sensitive data or administrative functions. This could result in data breaches violating GDPR regulations, causing legal and financial penalties. Additionally, attackers could deface websites or inject malicious content, damaging brand reputation and user trust. The scope of impact extends to any user visiting the infected pages, including customers and employees, potentially spreading malware or phishing campaigns. Since the vulnerability requires only Author-level access, insider threats or compromised contributor accounts pose a significant risk. The confidentiality and integrity of web content and user data are at risk, although availability is not directly impacted. The medium severity rating reflects the balance between required privileges and potential damage, but the real-world impact could escalate if combined with other vulnerabilities or social engineering tactics.

To mitigate this vulnerability, European organizations should immediately update the FooBox plugin to a patched version once released by the vendor. Until then, restrict Author-level permissions to trusted users only and audit existing user roles to minimize risk. Implement Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting image alt attributes. Conduct thorough input validation and output encoding on all user-supplied content, especially in custom plugin configurations or themes interacting with FooBox. Regularly scan WordPress sites with security tools to detect injected scripts or anomalous content. Employ Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of potential XSS attacks. Educate content editors and administrators on safe content practices and the risks of elevated privileges. Finally, monitor logs for suspicious activity related to image uploads or edits, and have an incident response plan ready to contain and remediate any exploitation attempts.