CVE-2025-54051

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins LightBox Block lightbox-block allows Stored XSS.This issue affects LightBox Block: from n/a through <= 1.1.30.

AnalysisAI

Stored cross-site scripting (XSS) vulnerability in bPlugins LightBox Block WordPress plugin versions 1.1.30 and earlier allows authenticated attackers to inject malicious scripts that execute in the browsers of site administrators and other users viewing affected content. The vulnerability exists in the web page generation process where user input is not properly neutralized before being rendered, enabling persistence of malicious payloads within the WordPress database. No active exploitation has been confirmed, though the low EPSS score (0.04%, 13th percentile) suggests minimal real-world exploitation risk despite the stored nature of the vulnerability.

Technical ContextAI

The vulnerability is a Stored XSS flaw (CWE-79) in the bPlugins LightBox Block plugin, a WordPress plugin component responsible for rendering lightbox functionality on web pages. WordPress plugins interact directly with user input and the WordPress admin interface, making improper input sanitization particularly dangerous. When the plugin generates web pages displaying lightbox elements, it fails to neutralize or properly escape user-supplied input before inserting it into the HTML/JavaScript output. This allows an attacker to store malicious JavaScript payloads in the WordPress database (via plugin settings or post/page content), which then execute with the privileges of any user viewing the affected page, including administrators. The plugin's CPE designation would be cpe:2.4.a:bplugins:lightbox-block, affecting the WordPress plugin ecosystem where such vulnerabilities can have cascading impact across multiple sites using the same plugin.

Affected ProductsAI

The vulnerability affects bPlugins LightBox Block WordPress plugin from version 1.0 through and including version 1.1.30. The plugin is distributed via the WordPress.org plugin repository and is identified by the plugin slug 'lightbox-block'. All installations of LightBox Block at or below version 1.1.30 are potentially affected, regardless of how the lightbox feature is configured within WordPress sites.

RemediationAI

Update the bPlugins LightBox Block plugin to a version newer than 1.1.30 immediately via the WordPress admin plugin update interface, or directly from the WordPress.org plugin repository. If an updated version is not yet available, disable the LightBox Block plugin entirely until a patch is released by bPlugins. Site administrators should also review recent plugin settings and any content created or modified via the lightbox functionality to identify potential malicious script injections. The vulnerability was reported to Patchstack ([email protected]) and detailed information is available at https://patchstack.com/database/Wordpress/Plugin/lightbox-block/vulnerability/wordpress-lightbox-block-plugin-1-1-30-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-54051 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy