CVE-2025-3662 Information

Description

The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries’ caption fields. The issue was received as a Contributor+ Stored XSS however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS

Reference

https://wpscan.com/vulnerability/4cda12f0-3c23-44ad-80ea-db2443ebcf82/ https://wpscan.com/vulnerability/4cda12f0-3c23-44ad-80ea-db2443ebcf82/