CVE-2025-3662

CVE-2025-3662: FancyBox for WordPress < 3.3.6 - Unauthenticated Stored XSS

Vendor Unknown
Product FancyBox for WordPress
Published June 3, 2025
Last update June 3, 2025

CVSS base score

What the vulnerability does

01Description

The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS

Key dates

02Disclosure timeline

June 3, 2025 CVE published
June 3, 2025 Record updated