Colorlib
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Colorlib product.
RSS Feeds for Colorlib security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Colorlib products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Colorlib Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Colorlib. Last year, in 2025 Colorlib had 1 security vulnerability published. Right now, Colorlib is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 0.00 |
| 2024 | 3 | 4.80 |
| 2023 | 4 | 6.78 |
| 2022 | 1 | 4.80 |
It may take a day or so for new Colorlib vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Colorlib Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-3662 | Jun 03, 2025 |
Unauth Stored XSS in WordPress FancyBox <3.3.6 (Captions)The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS |
Fancybox
|
| CVE-2024-49321 | Oct 21, 2024 |
Missing Auth in Colorlib Simple Custom Post Order <=2.5.7Missing Authorization vulnerability in Colorlib Simple Custom Post Order allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Custom Post Order: from n/a through 2.5.7. |
Simple Custom Post Order
|
| CVE-2024-0662 | Apr 09, 2024 |
FancyBox 3.0.23.3.3 WPStored XSS via Admin SettingsThe FancyBox for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions 3.0.2 to 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. |
Fancybox
|
| CVE-2024-1473 | Mar 20, 2024 |
Colorlib 'Coming Soon & Maintenance Mode' WP Plugin 1.0.99 Info Exposure via RESTThe Coming Soon & Maintenance Mode by Colorlib plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.99 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page contents via REST API thus bypassing maintenance mode protection provided by the plugin. |
Coming Soon Maintenance Mode
|
| CVE-2020-36721 | Jun 07, 2023 |
WP Themes <=1.3.1 Unauth Plugin Act/Deact (CVE-2020-36721)The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site. |
Bonkers
Pixova Lite
Newspaper X
And others... |
| CVE-2020-36708 | Jun 07, 2023 |
WordPress Themes <=1.3.1 Function Injection via epsilon_framework_ajax_actionThe following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution. |
Sparklinkg
Bonkers
Pixova Lite
And others... |
| CVE-2022-45849 | Apr 16, 2023 |
Reflected XSS in Silkalns Activello Theme 1.4.4Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Silkalns Activello theme <= 1.4.4 versions. |
Activello Theme
|
| CVE-2022-45358 | Apr 13, 2023 |
Reflected XSS vulner. in Silkalns Activello Theme 1.4.4Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Silkalns Activello theme <= 1.4.4 versions. |
Activello
|
| CVE-2022-1945 | Jun 20, 2022 |
The Coming Soon & Maintenance Mode by Colorlib WordPress plugin before 1.0.99 does not sanitize and escape some settingsThe Coming Soon & Maintenance Mode by Colorlib WordPress plugin before 1.0.99 does not sanitize and escape some settings, allowing high privilege users such as admin to perform Stored Cross-Site Scripting when unfiltered_html is disallowed (for example in multisite setup) |
Coming Soon Maintenance Mode
|
| CVE-2015-1494 | Feb 17, 2015 |
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, whichThe FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015. |
Fancybox
|