Stored Cross-Site Scripting Vulnerability in FancyBox for WordPress Plugin
CVE-2024-0662

4.8MEDIUM

Key Information:

Vendor

Wordpress
Status
Fancybox For WordPress
Vendor
CVE Published:
9 April 2024

What is CVE-2024-0662?

The FancyBox for WordPress plugin is susceptible to a Stored Cross-Site Scripting vulnerability affecting versions from 3.0.2 to 3.3.3. This security concern arises from the insufficient sanitization of input and failure to properly escape output in the admin settings. Authenticated attackers, particularly those with administrator-level privileges, could exploit this vulnerability to inject malicious scripts into web pages. Such scripts would execute when unsuspecting users access the compromised pages. This issue uniquely impacts WordPress multi-site configurations and scenarios where the 'unfiltered_html' capability is disabled, potentially jeopardizing user security and data integrity.

Affected Version(s)

FancyBox for WordPress 3.0.2 <= 3.3.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sh
.