WordPress Plugin Vulnerabilities
Multiple Plugins - Contributor+ DOM-Based Stored XSS via FancyBox JavaScript Library
Description
Multiple plugins are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affects Plugins
Fixed in 1.9.13
Fixed in 1.0.288 
No known fix
Fixed in 2.3.4
Fixed in 1.8.16
Fixed in 3.3.5
Fixed in 1.15.28
Fixed in 7.5.48.7212
Fixed in 2.0.12
Fixed in 3.59.5
Fixed in 2.4.9
Fixed in 3.3.10
Fixed in 4.1.2
Fixed in 2.6.9 References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Webbernaut
Verified
No
WPVDB ID
Timeline
Publicly Published
2024-12-03 (about 1 year ago)
Added
2024-12-04 (about 1 year ago)
Last Updated
2025-04-01 (about 1 year ago)
WPScan 