CVE-2025-5537 identifies a stored cross-site scripting (XSS) vulnerability in the Lightbox & Modal Popup WordPress Plugin – FooBox, maintained by bradvin. This vulnerability affects all plugin versions up to and including 2.7.34. The root cause is improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of image alternative text fields. Authenticated attackers with Author-level privileges or higher can inject arbitrary JavaScript code into these fields. When other users access pages containing the injected content, the malicious scripts execute in their browsers. This can lead to theft of session cookies, defacement, or execution of unauthorized actions on behalf of users. The vulnerability is exploitable remotely over the network without user interaction beyond viewing the affected page. The CVSS 3.1 base score is 6.4, indicating medium severity, with attack vector network, low attack complexity, privileges required (Author), no user interaction, and scope changed due to impact on other users. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The vulnerability is particularly dangerous in multi-user WordPress environments where multiple authors contribute content, increasing the risk of malicious script injection and propagation.

The impact of CVE-2025-5537 is significant for organizations running WordPress sites with the vulnerable FooBox plugin, especially those with multiple content authors. Successful exploitation allows attackers to execute arbitrary scripts in the context of other users’ browsers, potentially leading to session hijacking, credential theft, unauthorized actions, or site defacement. This undermines user trust and can lead to data breaches or reputational damage. Since the attack requires only Author-level access, insider threats or compromised author accounts can be leveraged to escalate the attack. The vulnerability affects confidentiality and integrity but not availability. Organizations with high-traffic WordPress sites or those handling sensitive user data are at elevated risk. The lack of known exploits in the wild reduces immediate threat but does not eliminate the risk, especially as exploit code may emerge. The scope of impact includes all users who view injected pages, potentially magnifying the damage in large or public-facing websites.

To mitigate CVE-2025-5537, organizations should first check for and apply any official patches or updates from the plugin vendor as soon as they become available. In the absence of patches, administrators should consider disabling or uninstalling the FooBox plugin temporarily. Restrict Author-level privileges strictly and audit existing users for suspicious accounts or behavior. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts in image alt text fields. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Regularly scan WordPress installations for XSS vulnerabilities using specialized security tools. Educate content authors about safe input practices and monitor for unusual content changes. Finally, maintain regular backups and incident response plans to quickly recover from any exploitation.