CVE-2025-3745: 
WordPress vulnerability analysis and mitigation

The WP Lightbox 2 WordPress plugin (versions before 3.0.6.8) was identified with a Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2025-3745. The vulnerability was discovered and publicly disclosed on June 9, 2025. This security flaw affects the plugin's handling of link title attributes, potentially exposing WordPress websites to XSS attacks (WPScan, NVD).

The vulnerability stems from improper sanitization of the title attribute values in links. The CVSS v3.1 base score is 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that execute whenever a user accesses the injected content. This can lead to potential data theft, session hijacking, or other malicious actions performed in the context of the affected user's browser (Rapid7).

The vulnerability has been patched in version 3.0.6.8 of the WP Lightbox 2 plugin. Website administrators are advised to update to this version or later to mitigate the security risk (WPScan).