{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5537", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-03T15:28:54.266Z", "datePublished": "2025-07-08T04:22:58.814Z", "dateUpdated": "2026-04-08T17:17:18.771Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:18.771Z"}, "affected": [{"vendor": "fooplugins", "product": "Lightbox & Modal Popup WordPress Plugin \u2013 FooBox", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.7.34", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Lightbox & Modal Popup WordPress Plugin \u2013 FooBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alternative texts in all versions up to, and including, 2.7.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Lightbox & Modal Popup WordPress Plugin \u2013 FooBox <= 2.7.34 - Authenticated (Author+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5fd2163-b8ef-4dd1-a12b-cd9187145134?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3322273%40foobox-image-lightbox&new=3322273%40foobox-image-lightbox&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Robert DeVore"}], "timeline": [{"time": "2025-06-21T18:22:08.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-07T16:14:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-08T18:08:51.901469Z", "id": "CVE-2025-5537", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-08T18:11:19.030Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5537", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-08T18:08:51.901469Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-08T18:10:36.835Z"}}], "cna": {"title": "Lightbox & Modal Popup WordPress Plugin \u2013 FooBox <= 2.7.34 - Authenticated (Author+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Robert DeVore"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "fooplugins", "product": "Lightbox & Modal Popup WordPress Plugin \u2013 FooBox", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.7.34"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-21T18:22:08.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-07T16:14:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5fd2163-b8ef-4dd1-a12b-cd9187145134?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3322273%40foobox-image-lightbox&new=3322273%40foobox-image-lightbox&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Lightbox & Modal Popup WordPress Plugin \u2013 FooBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alternative texts in all versions up to, and including, 2.7.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:18.771Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5537", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:18.771Z", "dateReserved": "2025-06-03T15:28:54.266Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-08T04:22:58.814Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fooplugins:foobox:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "3CEFC8F3-AA35-49E7-9170-F55F54EEFD12", "versionEndExcluding": "2.7.35", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Lightbox & Modal Popup WordPress Plugin \u2013 FooBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alternative texts in all versions up to, and including, 2.7.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Lightbox &amp; Modal Popup WordPress Plugin \u2013 FooBox para WordPress es vulnerable a cross site scripting almacenado mediante textos alternativos de im\u00e1genes en todas las versiones hasta la 2.7.34 incluida, debido a una limpieza de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de autor o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5537", "lastModified": "2025-07-10T13:29:31.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-07-08T05:15:30.420", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3322273%40foobox-image-lightbox&new=3322273%40foobox-image-lightbox&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5fd2163-b8ef-4dd1-a12b-cd9187145134?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:50:33.408360+00:00", "value": {"mitigation_remediation": ["Upgrade the FooBox plugin to the latest fixed release (above 2.7.34).", "Limit Author and higher level user accounts to only those who truly need them, enforce strong, unique passwords, and review account permissions regularly.", "Remove or disable the plugin if it is not required for site functionality, and audit existing image alt attributes for injected scripts to neutralize any remaining payloads."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting that allows an authenticated Author level user to inject arbitrary web scripts via image alt text, causing executed malicious JavaScript on user visits"}, "threat_synthesis": {"affected_systems": "Every WordPress installation that has fooplugins\u2019 Lightbox & Modal Popup WordPress Plugin \u2013 FooBox installed, versions 2.7.34 and older. The flaw is present in all releases up to and including 2.7.34 and affects any site that uses the plugin in its default configuration.", "description_and_impact": "The Lightbox & Modal Popup WordPress Plugin \u2013 FooBox contains insufficient input sanitization and output escaping in image alternative texts, enabling stored Cross\u2011Site Scripting. An attacker with Author or higher privileges can inject JavaScript that will execute for any visitor of the infected page, potentially enabling malicious actions in the browsers of those visitors.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Though only reachable by users with Author\u2011level authentication, the payload can be posted to any publicly accessible image alt field, making site\u2011wide script injection feasible for the compromised account. The attack vector is inferred to be local access via authenticated accounts, which then propagates to visitors of manipulated pages."}}}}, "created": "2026-04-21T20:00:25.893239+00:00", "updated": "2026-04-21T20:00:25.893251+00:00", "vendors": []}