cbcvebase.

Colorlib Fancybox vulnerabilities

3 known vulnerabilities affecting colorlib/fancybox.

Total CVEs
3
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2015-1494P2MEDIUMCVSS 4.3ExploitedPoC≤ 3.0.22015-02-17
CVE-2015-1494 [MEDIUM] CWE-79 CVE-2015-1494: The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, whic The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.
nvd
CVE-2025-3662P4MEDIUMCVSS 6.1fixed in 3.3.62025-06-03
CVE-2025-3662 [MEDIUM] CWE-79 CVE-2025-3662: The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS
nvd
CVE-2024-0662P4MEDIUMCVSS 4.8≥ 3.0.2, < 3.3.32024-04-09
CVE-2024-0662 [MEDIUM] CWE-79 CVE-2024-0662: The FancyBox for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via adm The FancyBox for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions 3.0.2 to 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will exec
nvd
Colorlib Fancybox vulnerabilities | cvebase