GCVE - cpe:2.3:a:colorlib:fancybox:*:*:*:*:*:wordpress:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:colorlib:fancybox:*:*:*:*:*:wordpress:*:*

part: a version: * update: *

Vendor	Colorlib (`05dc98e5-dc4d-5a31-bf3c-ad80d796bf26`)
Product	Fancybox (`676fb8fd-b45d-57a1-b553-6f805eec027b`)
Edition	*
Language	*
Software edition	*
Target software	wordpress
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-3662`	vulnerable	2026-06-08 07:23:09.617893	FancyBox for WordPress < 3.3.6 - Unauthenticated Stored XSS The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS Published: 2025-06-03T06:00:17.231Z Updated: 2025-06-03T15:28:29.716Z Open on db.gcve.eu Reference links https://wpscan.com/vulnerability/4cda12f0-3c23-44ad-80ea-db2443ebcf82/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-0662`	vulnerable	2026-06-08 06:22:01.669209	Details available MEDIUM (4.4) The FancyBox for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions 3.0.2 to 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Published: 2024-04-09T18:58:49.288Z Updated: 2024-08-01T18:11:35.645Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/55f8d7e6-7bcd-4556-932b-7bf422db0b39?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3058912%40fancybox-for-wordpress&new=3058912%40fancybox-for-wordpress&sfp_email=&sfph_mail=	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2015-1494`	vulnerable	2026-06-08 05:06:25.761888	Details available The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015. Published: 2015-02-17T15:00:00.000Z Updated: 2024-08-06T04:47:16.217Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/72506 http://www.openwall.com/lists/oss-security/2015/02/05/10 https://plugins.trac.wordpress.org/changeset/1082625/ http://www.exploit-db.com/exploits/36087 https://wordpress.org/plugins/fancybox-for-wordpress/changelog/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.