Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins LightBox Block lightbox-block allows Stored XSS.This issue affects LightBox Block: from n/a through <= 1.1.30.
Published: 2025-07-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that allows an attacker to insert arbitrary JavaScript into pages that the WordPress site serves. It arises because the plugin does not properly neutralize input before rendering it on the web page. If successfully exploited, the injected script will persist for all users who view the affected page, providing the attacker with a persistent attack surface.

Affected Systems

The issue affects any installation of the bPlugins LightBox Block plugin for WordPress with a version number from the earliest releases through 1.1.30. No other version information is specified, so any deployment of the plugin at or below 1.1.30 is considered vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1 % suggests that exploitation has been relatively rare. The flaw is not listed in CISA’s KEV catalog. Based on the description, the most likely attack vector is an authenticated user who can post or edit content through the plugin’s administrative interface; the malicious payload is then stored and rendered to all visitors of the site.

Generated by OpenCVE AI on April 30, 2026 at 16:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LightBox Block to a version newer than 1.1.30 or uninstall the plugin if it is not required.
  • If a newer version cannot be installed immediately, disable the plugin entirely or block access to its administrative pages to prevent new malicious content from being stored.
  • Implement a Content Security Policy that restricts execution of unknown scripts, thereby mitigating the impact of any stored script that may already reside in the site’s content.

Generated by OpenCVE AI on April 30, 2026 at 16:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21657 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins LightBox Block allows Stored XSS. This issue affects LightBox Block: from n/a through 1.1.30.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins LightBox Block allows Stored XSS. This issue affects LightBox Block: from n/a through 1.1.30. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins LightBox Block lightbox-block allows Stored XSS.This issue affects LightBox Block: from n/a through <= 1.1.30.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Jul 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00031}

Wed, 16 Jul 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins LightBox Block allows Stored XSS. This issue affects LightBox Block: from n/a through 1.1.30.
Title WordPress LightBox Block plugin <= 1.1.30 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:29.788Z

Reserved: 2025-07-16T08:52:07.076Z

Link: CVE-2025-54051

cve-icon Vulnrichment

Updated: 2025-07-16T20:10:26.006Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T11:15:32.597

Modified: 2026-04-23T15:32:46.530

Link: CVE-2025-54051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:45:26Z

Weaknesses