CVE-2015-1494
EXPLOITED IN THE WILDFancyBox for WordPress <3.0.3 - XSS
Title source: llmDescription
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by NULLpOint7r · textwebappsphp
https://www.exploit-db.com/exploits/36087
References (8)
Scores
EPSS
0.0456
EPSS Percentile
89.2%
Details
VulnCheck KEV
2015-02-17
InTheWild.io
2021-07-20
CWE
CWE-79
Status
published
Products (1)
colorlib/fancybox
< 3.0.2
Published
Feb 17, 2015
Tracked Since
Feb 18, 2026