CVE-2025-9710: 
WordPress vulnerability analysis and mitigation

The Responsive Lightbox & Gallery WordPress plugin before version 2.5.3 contains a stored Cross-Site Scripting (XSS) vulnerability that was discovered on September 15, 2025. The vulnerability affects the plugin's comment functionality and allows unauthenticated attackers to inject malicious code (WPScan, NVD).

The vulnerability stems from improper handling of HTML tag attributes modifications in the plugin's comment system. When the 'Enable lightbox for comments content' setting is enabled, unauthenticated attackers can inject event handlers that execute malicious JavaScript code when the comment is approved and viewed. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L (WPScan).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in users' browsers when they view the compromised comments. This can lead to various attacks including cookie theft, session hijacking, and other malicious actions performed in the context of the victim's browser (WPScan).

The vulnerability has been patched in version 2.5.3 of the Responsive Lightbox & Gallery plugin. Site administrators are strongly advised to update to this version or later to protect against this security issue (WPScan).