CVE-2025-9710 is a vulnerability classified under CWE-79 (Cross-Site Scripting) affecting the Responsive Lightbox & Gallery WordPress plugin prior to version 2.5.3. The vulnerability stems from improper sanitization and handling of HTML tag attributes within the plugin’s codebase, which allows unauthenticated attackers to inject malicious event handlers (such as JavaScript 'on*' attributes) into the plugin’s output. This results in stored XSS, where the malicious script is persistently saved and executed whenever a user accesses the affected page. Stored XSS can be leveraged to hijack user sessions, steal cookies, deface websites, or redirect users to malicious sites. The vulnerability does not require the attacker to be authenticated or for the victim to perform any specific action beyond visiting the compromised page, increasing its risk profile. Although no public exploits have been reported yet, the widespread use of WordPress and its plugins makes this a critical concern. The lack of a CVSS score indicates that the vulnerability is newly disclosed and pending further evaluation. The vulnerability was reserved in late August 2025 and published in early October 2025, indicating recent discovery and disclosure. The absence of patch links suggests that a fixed version may be forthcoming or recently released but not yet widely documented.

For European organizations, this vulnerability poses a significant risk to web applications that utilize the Responsive Lightbox & Gallery plugin. Exploitation could lead to unauthorized execution of scripts in the browsers of site visitors, potentially compromising user data, including authentication tokens and personal information. This can result in data breaches, reputational damage, and regulatory non-compliance under GDPR. Public sector websites, e-commerce platforms, and corporate portals using this plugin are particularly vulnerable to defacement, phishing, or session hijacking attacks. The persistent nature of stored XSS increases the attack surface and duration of exposure. Additionally, attackers could leverage this vulnerability to distribute malware or conduct further attacks within the victim’s network. The impact on availability is indirect but possible if attackers use the vulnerability to disrupt site functionality or launch denial-of-service conditions via malicious scripts.

European organizations should immediately inventory their WordPress installations to identify the use of the Responsive Lightbox & Gallery plugin. They should upgrade the plugin to version 2.5.3 or later as soon as the patch is officially released. Until a patch is applied, administrators should consider disabling the plugin or restricting its usage to trusted users only. Implementing strict Content Security Policy (CSP) headers can help mitigate the impact by restricting the execution of unauthorized scripts. Web application firewalls (WAFs) should be configured to detect and block suspicious input patterns related to event handler injections. Regular security audits and code reviews of customizations involving this plugin are recommended. User input sanitization and output encoding best practices should be enforced across the site. Monitoring for unusual activity or signs of exploitation on affected sites is critical. Finally, educating site administrators and developers about the risks of stored XSS and secure coding practices will reduce future vulnerabilities.