CVE-2025-3597: 
WordPress vulnerability analysis and mitigation

The Firelight Lightbox WordPress plugin before version 2.3.15 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-3597. The vulnerability was discovered on April 21, 2025, and allows users with post writing capabilities to execute arbitrary JavaScript code when the jQuery Metadata library is enabled. While this feature was intended only for Pro version users, it can be activated in the free version as well, making it exploitable across both versions (WPScan, NVD).

The vulnerability exists due to insufficient input validation when the jQuery Metadata library extension is enabled. Users with contributor-level access or higher can inject malicious JavaScript code through HTML blocks in post content. The vulnerability can be activated in the free version by manipulating the disabled attribute on the checkbox in the plugin settings at /wp-admin/admin.php?page=firelight-settings, despite being intended as a Pro-only feature. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (WPScan).

When exploited, this vulnerability allows authenticated users with post writing capabilities to execute arbitrary JavaScript code in the context of other users' browsers who view the affected posts. This could lead to session hijacking, credential theft, or other malicious actions performed in the context of the victim's browser session (Wiz).

The vulnerability has been patched in version 2.3.15 of the Firelight Lightbox plugin. Site administrators should update to this version immediately. As a temporary workaround, administrators can disable the jQuery Metadata library extension in the plugin settings (WPScan).