CVE-2025-3662: FancyBox for WordPress < 3.3.6 - Unauthenticated Stored XSS

6.1 CVSS

Description

The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS

Classification

CVE ID: CVE-2025-3662

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem Types

CWE-79 Cross-Site Scripting (XSS)

Affected Products

Vendor: Unknown

Product: FancyBox for WordPress

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 5.99% (scored less or equal to compared to others)

EPSS Date: 2025-06-04 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-3662
https://wpscan.com/vulnerability/4cda12f0-3c23-44ad-80ea-db2443ebcf82/

Timeline

2025-06-03 07:40:08 UTC
CVE

FancyBox for WordPress < 3.3.6 - Unauthenticated Stored XSS