Description
The easy-fancybox plugin before 1.8.18 for WordPress (aka Easy FancyBox) is susceptible to Stored XSS in the Settings Menu inc/class-easyfancybox.php due to improper encoding of arbitrarily submitted settings parameters. This occurs because there is no inline styles output filter.
References (3)
Core 3
Core References
Product, Third Party Advisory x_refsource_confirm
https://wordpress.org/plugins/easy-fancybox/#developers
Exploit, Third Party Advisory x_refsource_misc
https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190911-01_Easy_FancyBox_WP_Plugin_Stored_XSS
Exploit, Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9891
Scores
CVSS v3
4.8
EPSS
0.0026
EPSS Percentile
49.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
status301/easy_fancybox
< 1.8.18
Published
Sep 26, 2019
Tracked Since
Feb 18, 2026