CVE-2025-15386
Published: 24 February 2026
Summary
CVE-2025-15386 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-15386 is an unauthenticated stored cross-site scripting (XSS) vulnerability in the Responsive Lightbox & Gallery WordPress plugin versions prior to 2.6.1. The flaw stems from inadequate regex replacement rules that fail to properly sanitize malicious links in comments. Exploitation requires the lightbox feature for comments to be enabled on the target WordPress site. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and potential for significant impacts on confidentiality, integrity, and availability.
An unauthenticated attacker can exploit this vulnerability by submitting a comment containing a specially crafted malicious link to a vulnerable WordPress site. Once the comment is approved by a site administrator, the stored payload activates when users with lightbox for comments enabled view the comment, triggering the XSS execution in their browsers. This allows the attacker to steal session cookies, perform actions on behalf of authenticated users, or deface site content, depending on the victim's privileges.
The WPScan advisory at https://wpscan.com/vulnerability/fa3a84b6-6d5d-4e10-8587-ae49c127483b/ details the issue, recommending an immediate upgrade to version 2.6.1 or later of the Responsive Lightbox & Gallery plugin to address the flawed regex handling. Site administrators should also disable lightbox for comments as an interim measure if patching is delayed, and review pending comments for suspicious links.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207548
Vulnerability details
The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled…
more
and then approved.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 exploitation and arbitrary JS execution (T1059.007) in victim browsers for cookie theft/actions.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates validation and sanitization of user inputs like malicious links in comments to prevent storage of XSS payloads due to flawed regex rules.
Requires filtering of output such as lightbox-rendered comment links to block execution of stored malicious scripts in viewers' browsers.
Establishes timely flaw remediation processes to patch the plugin vulnerability from versions before 2.6.1, directly addressing the inadequate regex handling.