Janeckhoff

**Name of the Vulnerable Software and Affected Versions** FancyBox for WordPress versions prior to 3.0.3 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via a `mfbfw[*]` parameter in an update action to "wp-admin/admin-post.php". This has been exploited in the wild, as demonstrated by the `mfbfw[padding]` parameter. **Recommendations** For versions prior to 3.0.3, update to version 3.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin-post.php" endpoint to minimize the risk of exploitation. Avoid using the `mfbfw[*]` parameter in the affected endpoint until the issue is resolved.