CVE-2025-15386
Responsive Lightbox & Gallery < 2.6.1 - Unauthenticated Stored XSSThe Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved.
We have discovered 51,214 live websites that are affected by CVE-2025-15386.
Affected Software
| Product |  Responsive Lightbox and Gallery |
| Category | Wordpress Plugins |
| Vulnerable Domains | 51,214 live websites (69% of Responsive Lightbox and Gallery install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 35 versions ( 60% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Feb 24, 2026
- Updated - Feb 24, 2026
Credits
- Matthew Rollings (finder)
- WPScan (coordinator)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-15386 United States | 9,252 websites |
 Germany | 7,556 websites |
 Japan | 4,936 websites |
 France | 2,885 websites |
 Poland | 2,768 websites |
 Russia | 2,767 websites |
 Italy | 2,238 websites |
 GB | 2,010 websites |
 Netherlands | 1,932 websites |
 Czech Republic | 1,278 websites |
Website Distribution by TLD
Number of websites using CVE-2025-15386| .com | 16,539 websites |
| .de | 5,073 websites |
| .ru | 2,227 websites |
| .pl | 2,077 websites |
| .org | 1,767 websites |
| .nl | 1,759 websites |
| .it | 1,593 websites |
| .co.uk | 1,298 websites |
| .net | 1,247 websites |
| .fr | 1,246 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-15386
Top websites that are affected by CVE-2025-15386. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******************.ro |  Romania | **,*** | |
| ***************.com |  Singapore | **,*** | |
| ************.com |  Israel | **,*** | |
| ****************.com | France | **,*** | |
| **********.id |  Indonesia | **,*** | |
| *******.net | United States | **,*** | |
| *************.com | United States | **,*** | |
| ***************.it | Italy | **,*** | |
| ***********.com | United States | **,*** | |
| ***********.com | United States | **,*** |
FAQ
CVE-2025-15386 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Responsive Lightbox and Gallery
A total of 51,214 websites have been identified as vulnerable to CVE-2025-15386, based on global website indexing conducted by WebTechSurvey.
The Responsive Lightbox and Gallery is affected by the CVE-2025-15386 vulnerability.
Responsive Lightbox and Gallery versions up to 2.6.1 are vulnerable to CVE-2025-15386.
CVE-2025-15386 is resolved in version 2.6.1 of Responsive Lightbox and Gallery.