Stored XSS Flaw in LightPress Lightbox Plugin for WordPress
CVE-2025-3649

6.8MEDIUM

Key Information:

Vendor: WordPress
Status: Lightpress Lightbox
Vendor: CVE Published:; 12 May 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-3649?

The LightPress Lightbox plugin for WordPress, preceding version 2.3.4, is susceptible to a stored XSS vulnerability due to insufficient validation of download links. This flaw permits users with a contributor role to craft malicious entries that can execute scripts when links are accessed, potentially compromising site security. It is crucial for users to update to the latest version to mitigate this risk and secure their WordPress installations.

Affected Version(s)

LightPress Lightbox 0 < 2.3.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-3649 - Proof of Concept

References

https://wpscan.com/vulnerability/37fb7f3b-1766-4c2c-9b78-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
May 12, 2025
👾
Exploit known to exist
May 12, 2025
Vulnerability published
May 12, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Pierre Rudloff

WPScan