jQuery Colorbox <= 4.6.3 – Contributor+ Stored XSS | CVE 2025-3650 | Plugin Vulnerabilities

Description

The plugin uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.

Proof of Concept

1. Browse to /wp-admin/options-general.php?page=jquery-colorbox%2Fjquery-colorbox.php and enable "Automate jQuery Colorbox for all images in pages, posts and galleries".
2. As an contributor, create a post containing this HTML:
`<a class="colorbox-link" title="&lt;img src=x onerror=alert()&gt;" href="http://example.com">Click me</a>`
3. If another user clicks the link while previewing the post, the malicious JS is executed.

Affects Plugins

jquery-colorbox

No known fix

References

CVE

URL

https://security.snyk.io/vuln/npm:jquery-colorbox:20171115

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Pierre Rudloff

Submitter

Pierre Rudloff

Verified

Yes

WPVDB ID

5afdd448-0f7e-409e-a47b-8e5c5b707639

Timeline

Publicly Published

2025-08-22 (about 4 months ago)

Added

2025-08-22 (about 4 months ago)

Last Updated

2025-08-22 (about 4 months ago)

Other

Published

Title

Published

2025-04-02

Title

Glossy Blog <= 1.0.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2024-12-05

Title

PDF Builder for WooCommerce. Create invoices,packing slips and more < 1.2.137 - Reflected Cross-Site Scripting

Published

2024-09-04

Title

Advanced Custom Fields <= 6.3.5 - Authenticated Stored Cross-Site Scripting

Published

2025-09-05

Title

Custom Team Manager <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-27

Title

WP Multistore Locator — WP Store Locator Plugin: Effortless Integration With Snazzy Maps < 2.5.1 - Reflected Cross-Site Scripting