CVE-2025-5035
Firelight Lightbox < 2.3.16 - Contributor+ Stored XSS
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 5.4EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
27 jun 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The Firelight Lightbox WordPress plugin before 2.3.16 does not sanitise and escape title attributes before outputting them in the page, which could allow users with a role as low as contributors to perform stored Cross-Site Scripting attacks.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Productos afectados
Unknown · Firelight Lightbox