CVE-2025-3662

Name of the Vulnerable Software and Affected Versions FancyBox for WordPress versions prior to 3.3.6

Description The issue is related to the FancyBox plugin for WordPress not escaping captions and titles attributes before using them to populate galleries' caption fields. This was initially detected as a stored XSS vulnerability that required authentication, but it was escalated to an unauthenticated stored XSS issue.

Recommendations For versions prior to 3.3.6, update to version 3.3.6 or later to resolve the issue. As a temporary workaround, consider disabling the use of captions and titles attributes in galleries until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation.