CVE-2025-26591: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2025-26591 is a Cross-site Scripting (XSS) vulnerability affecting the WordPress WP fancybox plugin versions through 1.0.4. This security flaw was discovered by researcher Prissy and was publicly disclosed on July 4, 2025. The vulnerability specifically involves improper neutralization of input during web page generation, allowing for stored XSS attacks (Patchstack, NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 6.5 (Medium). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating that the vulnerability requires network access, low attack complexity, low privileges, and user interaction (Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The affected versions include WP fancybox plugin version 1.0.4 and earlier (Patchstack).