CVE-2025-3662

State: PUBLISHED · Published: 2025-06-03 · Updated: 2025-06-03 · Assigner: WPScan

Description

The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS

CWE

(none)

Affected

Unknown / FancyBox for WordPress — v=0 <3.3.6 [affected]

CVSS

(none)

References

https://wpscan.com/vulnerability/4cda12f0-3c23-44ad-80ea-db2443ebcf82/ exploit, vdb-entry, technical-description

Source

cvelistV5-main/cves/2025/3xxx/CVE-2025-3662.json