- Description
- The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS
- Source
- contact@wpscan.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 6.1
- Impact score
- 2.7
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- Hype score
- Not currently trending
🚨 Atenção, devs WordPress! Plugin FancyBox vulnerável a XSS (CVE-2025-3662) devido a falha no tratamento de títulos/legendas. 👉 Atualize para a versão 3.3.6+ para evitar a execução de scripts maliciosos! ⚠️ #WordPress #Segurança #XSS https://t.co/vxvvBpTBKa
@fernandokarl
3 Jun 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-3662 The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was rec… https://t.co/FJr4Y0ekID
@CVEnew
3 Jun 2025
333 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes