CVE-2025-3662: 
WordPress vulnerability analysis and mitigation

The FancyBox for WordPress plugin before version 3.3.6 contains a stored Cross-Site Scripting (XSS) vulnerability. Initially reported as a Contributor+ level Stored XSS, the vulnerability was later escalated to an Unauthenticated Stored XSS by researcher Marc Montpas. The vulnerability was discovered and disclosed on May 13, 2025, and was assigned CVE-2025-3662 (WPScan, NVD).

The vulnerability exists because the plugin fails to properly escape captions and titles attributes before using them to populate galleries' caption fields. This security flaw has been assigned a CVSS score of 8.8 (High), indicating its significant severity. The vulnerability can be exploited through the comment system when it's enabled for unauthenticated users (WPScan).

When successfully exploited, this vulnerability allows attackers to inject and execute arbitrary web scripts in the context of other users' browsers when they view the affected pages. Since the vulnerability is unauthenticated, any visitor to the site can potentially exploit it, making it particularly dangerous (WPScan).

The vulnerability has been patched in version 3.3.6 of the FancyBox for WordPress plugin. Site administrators are strongly advised to update to this version or later to protect against this security risk (WPScan).