Stored XSS Vulnerability in Responsive Lightbox & Gallery Plugin by WordPress
CVE-2025-9710

6.3MEDIUM

Key Information:

Vendor: WordPress
Status: Responsive Lightbox & Gallery
Vendor: CVE Published:; 6 October 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-9710?

The Responsive Lightbox & Gallery plugin for WordPress prior to version 2.5.3 has a vulnerability that allows unauthenticated users to manipulate HTML tag attributes effectively. By exploiting this flaw, attackers may inject malicious event handlers, enabling them to execute Stored Cross-Site Scripting (XSS) attacks, which can compromise user data and security.

Affected Version(s)

Responsive Lightbox & Gallery 0 < 2.5.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-9710 - Proof of Concept

References

https://wpscan.com/vulnerability/a45c74b7-b174-479f-9681-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Oct 6, 2025
👾
Exploit known to exist
Oct 6, 2025
Vulnerability published
Oct 6, 2025
Vulnerability Reserved
Aug 29, 2025

Credit

Matthew Rollings

WPScan

JSON