← back
CVE-2025-3662

FancyBox for WordPress < 3.3.6 - Unauthenticated Stored XSS

CVSS 6.1 MEDIUMEPSS 0.2%
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.1EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
03 Jun 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N