CVE-2024-5020: 
WordPress vulnerability analysis and mitigation

CVE-2024-5020 is a Stored Cross-Site Scripting vulnerability affecting multiple WordPress plugins that use the FancyBox JavaScript library (versions 1.3.4 to 3.5.7). The vulnerability was discovered and disclosed in December 2024. The affected plugins include accordion-slider, colibri-page-builder, easy-fancybox, envira-gallery-lite, fancybox-for-wordpress, form-maker, fv-wordpress-flowplayer, getwid, nextgen-gallery, responsive-lightbox, visual-portfolio, woo-smart-quick-view, and wp-carousel-free (NVD, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the FancyBox JavaScript library. It has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other malicious actions (NVD).

Multiple affected plugins have released patches to address this vulnerability. Users should update to the following versions: accordion-slider (1.9.13), colibri-page-builder (1.0.288), easy-fancybox (2.3.4), envira-gallery-lite (1.8.16), fancybox-for-wordpress (3.3.5), form-maker (1.15.28), fv-wordpress-flowplayer (7.5.48.7212), getwid (2.1.12), nextgen-gallery (3.59.5), responsive-lightbox (2.4.9), visual-portfolio (3.3.10), woo-smart-quick-view (4.1.2), and wp-carousel-free (2.6.9) (WPScan).