The Advanced Fancybox plugin by Ciprian Turcu contains a CSRF vulnerability that enables stored XSS attacks. This affects all versions up to 1.1.1. The vulnerability allows attackers to trick authenticated users into submitting requests that store malicious scripts, potentially compromising confidentiality, integrity, and availability. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability.

Successful exploitation can lead to stored XSS, allowing attackers to execute malicious scripts in the context of the affected application. This can result in data theft, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability. The high CVSS score reflects these risks. However, no active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or limiting use of the affected Advanced Fancybox versions and apply standard CSRF mitigations if possible. Monitor vendor channels for updates.