Colorlib Fancybox

Unauth Stored XSS in WordPress FancyBox <3.3.6 (Captions)
CVE-2025-3662 - June 03, 2025

The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS

XSS

FancyBox 3.0.23.3.3 WPStored XSS via Admin Settings
CVE-2024-0662 4.8 - Medium - April 09, 2024

The FancyBox for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions 3.0.2 to 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

XSS

The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which
CVE-2015-1494 - February 17, 2015

The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.