Server-Side Request Forgery in Responsive Lightbox & Gallery Plugin for WordPress
CVE-2025-12359

5.4MEDIUM

Key Information:

Vendor

WordPress
Status
Responsive Lightbox & Gallery
Vendor
CVE Published:
19 November 2025

What is CVE-2025-12359?

The Responsive Lightbox & Gallery plugin for WordPress contains a vulnerability that allows authenticated attackers with Author-level access or higher to exploit the 'get_image_size_by_url' function. This vulnerability stems from inadequate validation of user-supplied URLs, which can lead to the web application making unintended web requests to arbitrary locations. As a result, attackers could potentially manipulate or query sensitive information from internal services, posing significant risks to the integrity of the web application and its underlying data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Responsive Lightbox & Gallery * <= 2.5.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/responsive-lig...
https://plugins.trac.wordpress.org/browser/responsive-lig...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
JSON
.