Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2025-14272 | The LightPress Lightbox WordPress plugin before 2.3.4 does not check download links point to valid, non-Javascript URLs, allowing users with at least the contributor role to conduct Stored XSS attacks. |
Thu, 05 Jun 2025 14:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Lightpress
Lightpress lightbox |
|
| Weaknesses | CWE-79 | |
| CPEs | cpe:2.3:a:lightpress:lightbox:*:*:*:*:*:wordpress:*:* | |
| Vendors & Products |
Lightpress
Lightpress lightbox |
Mon, 12 May 2025 17:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Mon, 12 May 2025 06:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The LightPress Lightbox WordPress plugin before 2.3.4 does not check download links point to valid, non-Javascript URLs, allowing users with at least the contributor role to conduct Stored XSS attacks. | |
| Title | LightPress Lightbox < 2.3.4 - Contributor+ Stored XSS | |
| References |
|
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2025-05-12T17:03:04.531Z
Reserved: 2025-04-15T14:42:22.990Z
Link: CVE-2025-3649
Updated: 2025-05-12T17:02:33.168Z
Status : Analyzed
Published: 2025-05-12T06:15:40.270
Modified: 2026-06-17T09:20:23.333
Link: CVE-2025-3649
No data.
OpenCVE Enrichment
No data.
EUVD