CVE-2025-3662: 
WordPress vulnerability analysis and mitigation

The FancyBox for WordPress plugin before version 3.3.6 contains a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-3662. Initially reported as a Contributor+ level Stored XSS, the vulnerability was later escalated to an Unauthenticated Stored XSS by researcher Marc Montpas. The vulnerability was discovered and disclosed on May 13, 2025 (WPScan).

The vulnerability exists because the plugin fails to properly escape captions and titles attributes before using them to populate galleries' caption fields. The security flaw has been assigned a CVSS score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, and user interaction required (WPScan, Wiz).

When successfully exploited, this vulnerability allows attackers to inject and execute arbitrary web scripts in the context of other users' browsers when they view the affected pages. Since the vulnerability is unauthenticated, any visitor to the site can potentially exploit it, making it particularly dangerous (WPScan, Wiz).

The vulnerability has been patched in version 3.3.6 of the FancyBox for WordPress plugin. Site administrators are strongly advised to update to this version or later to protect against this security risk (WPScan).