CVE-2025-3650: 
WordPress vulnerability analysis and mitigation

The jQuery Colorbox WordPress plugin through version 4.6.3 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-3650. The vulnerability was discovered in August 2025 and affects the colorbox library implementation within the plugin. The issue stems from insufficient sanitization of title attributes on links, which can be exploited by users with contributor-level access or higher (WPScan).

The vulnerability exists due to the colorbox library's failure to properly sanitize title attributes on links before using them in the application. The CVSS v3.1 base score is 3.5 (Low) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. This indicates that while the vulnerability is network-accessible, it requires high privileges and user interaction to exploit (AttackerKB).

A successful exploitation of this vulnerability could allow an authenticated attacker with contributor privileges to execute arbitrary JavaScript code in the context of an administrator's browser session when they preview or view a malicious post. This could potentially lead to unauthorized actions being performed with administrator privileges (WPScan).

Currently, there is no known fix available for this vulnerability in the jQuery Colorbox WordPress plugin. Users are advised to consider disabling the plugin or restricting access to the contributor role until a security update is released (WPScan).