CVE-2025-3742: 
WordPress vulnerability analysis and mitigation

The Responsive Lightbox & Gallery WordPress plugin before version 2.5.1 contains a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-3742. The vulnerability was discovered and disclosed on April 24, 2025. This security issue affects all versions of the plugin prior to 2.5.1 (WPScan, NVD).

The vulnerability stems from insufficient input validation and output escaping of certain attributes before they are output back in a page or post. The issue has been assigned a CVSS v3.1 base score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H (NVD, Wiz).

When exploited, this vulnerability allows authenticated users with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (WPScan).

Website administrators should immediately update the Responsive Lightbox & Gallery plugin to version 2.5.1 or later, which contains the fix for this vulnerability (WPScan, Wiz).