CVE-2025-12359 – Responsive Lightbox & Gallery  – SSRF via Author+ – POC

Responsive Lightbox & Gallery is a widely used WordPress plugin (100k+ installs) that enhances galleries and lightboxes, including support for remote images and “remote library” content blocks. As part of rendering gallery items, the plugin attempts to determine image dimensions (width/height) server-side when those values are missing or when an item is stored as a plain URL. During testing, we identified CVE-2025-12359, an authenticated SSRF vulnerability exploitable by Author+ users who can create or edit gallery content. By supplying an attacker-controlled URL, the plugin causes the WordPress server to initiate outbound requests to arbitrary internal or external addresses—including 127.0.0.1, RFC1918 networks, and potentially cloud metadata endpoints—without allow-listing, private-range blocking, or redirect safeguards.

CVE	CVE-2025-12359
Plugin Version	Responsive Lightbox & Gallery <= 2.5.3
Critical	High
All Time	6 102 333
Active installations	100 000+
Publicly Published	November 18, 2025
Last Updated	November 18, 2025
Researcher	Dmitrii Ignatyev
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12359 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/responsive-lightbox/responsive-lightbox-gallery-253-authenticated-author-server-side-request-forgery
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Timeline

Discovery of the Vulnerability

The root cause is the plugin’s server-side image-size resolution pipeline. When a gallery item is represented by a URL or its size fields are absent, the flow in includes/class-galleries.php (~3645–3683) calls rl_get_image_size_by_url() (includes/functions.php ~108–112), which delegates to Responsive_Lightbox_Frontend::get_image_size_by_url() (includes/class-frontend.php ~1534–1555). That method accepts the user-controlled URL after esc_url_raw() and then proceeds to fetch data via either:

• getimagesize($url) (which triggers URL fetching when wrappers are enabled), or
• a “fast image” helper that performs fopen($uri, 'r') (includes/class-fast-image.php ~22–31).

Critically, there is no destination allow-list, no denial of loopback/private networks, and no restriction on redirects to internal addresses. This makes the URL parameter an SSRF sink.

Understanding of SSRF attack’s

Server-Side Request Forgery (SSRF) allows an attacker to make the server send requests to arbitrary endpoints. In WordPress, SSRF frequently appears in plugins that import remote images, generate previews, or compute metadata for user-supplied URLs. When protections are missing, attackers can:

• Probe internal admin panels and services bound to localhost
• Access private network resources (10/8, 172.16/12, 192.168/16)
• Attempt cloud metadata endpoints (e.g., 169.254.169.254)
• Trigger side effects on internal HTTP services (blind SSRF)

Even when response bodies are not returned directly, timing differences and service interactions can yield actionable reconnaissance and pivoting opportunities. CVE-2025-12359 is particularly relevant because it ties SSRF to normal gallery rendering—meaning the request is triggered whenever the content is previewed or visited.

Exploiting the SSRF Vulnerability

To exploit CVE-2025-12359, an attacker with Author+ cookies:

POC:

1) Create a new Post
2) Add here a "Remote Library Image" block
3) Publish Post
4) Intecept request and change "imageURL" field to http://127.0.0.1:443
5) Send request and go to the new Post

____

• Internal network scanning: Authors can probe private services and discover internal endpoints not exposed to the public internet.
• Access to localhost services: If local admin panels exist (debug UIs, monitoring dashboards), attackers can reach them from WordPress.
• Cloud metadata attacks: In cloud deployments, SSRF to metadata services can lead to credential theft if additional weaknesses exist (redirects, response reflection, or downstream exfil).
• DoS angle: Repeated requests to slow/unroutable hosts can exhaust PHP workers and outbound sockets.
• Chaining: SSRF often becomes a stepping stone to RCE when combined with exposed internal admin interfaces or weak authentication on internal services.

Because the trigger is tied to gallery rendering, exploitation can be repeated and automated by simply loading pages that contain the malicious remote URL.

Recommendations for Improved Security

For plugin maintainers:

1. Block private/loopback/link-local ranges: Reject destinations in 127.0.0.0/8, ::1, RFC1918 ranges, 169.254.0.0/16, and other sensitive ranges.
2. Enforce an allow-list: Only allow remote image URLs from approved public domains, or require explicit admin approval for new domains.
3. Prevent redirect abuse: Disable redirects or validate the final resolved IP after redirects to ensure it is not private/loopback.
4. Use safe HTTP client controls: If fetching is required, use wp_remote_get() with strict timeouts, max size limits, and a hardened URL validator.
5. Restrict who can set remote URLs: Limit remote-library/gallery URL insertion to trusted roles, or introduce a sanitization gate for lower roles.

For site owners:

• Update Responsive Lightbox & Gallery to the patched version once available.
• Limit Author capabilities if remote image blocks are not required.
• Implement egress filtering at the host/network level to block outbound requests to internal ranges from the WordPress container/VM.
• Monitor logs for unusual outbound connections originating from PHP/WordPress.

By taking proactive measures to address SSRF vulnerabilities like CVE-2025-12359 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #SSRF #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.