Home / Vulnerability Intelligence / CVE-2025-15386

CVE-2025-15386 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: February 24, 2026

Responsive Lightbox & Gallery - Stored XSS

Published: February 24, 2026Updated: February 24, 2026Remote Exploitable

Overview

Responsive Lightbox & Gallery WordPress plugin < 2.6.1 contains a stored XSS caused by flawed regex replacement rules in comment lightbox feature, letting unauthenticated attackers execute scripts after comment approval.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 4.1%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute persistent scripts in users' browsers, leading to session hijacking or defacement.

Mitigation

Upgrade to version 2.6.1 or later.

References

https://wpscan.com/vulnerability/fa3a84b6-6d5d-4e10-8587-ae49c127483b/

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 24, 2026

🟠 CVE-2025-15386 - High (8.8) The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments ar... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-15386/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2025-15386
Severity: High
CVSS Score: 8.8
Type: stored_xss
Status: unconfirmed
EPSS: 4.1%
Social Posts: 1

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score

4.1%Probability of exploitation in the next 30 days