CVE-2025-26591 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the WordPress plugin 'WP fancybox' developed by Noor Alam. The vulnerability arises from improper neutralization of input during web page generation, allowing malicious scripts to be stored and later executed in the context of users visiting the affected site. Specifically, versions up to 1.0.4 of WP fancybox are vulnerable. The CVSS 3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) shows that the attack can be launched remotely over the network with low attack complexity, requires privileges (likely contributor or editor roles) and user interaction (victim must trigger the malicious payload), and the scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact includes partial confidentiality, integrity, and availability loss. Stored XSS can allow attackers to execute arbitrary JavaScript in the context of authenticated users, potentially leading to session hijacking, defacement, or redirection to malicious sites. Although no known exploits are currently in the wild, the vulnerability's presence in a popular WordPress plugin used for displaying images or content in a fancybox overlay makes it a significant risk, especially for websites relying on this plugin for user interaction and content presentation. The lack of available patches at the time of publication increases the urgency for mitigation.

For European organizations, especially those operating WordPress-based websites with WP fancybox installed, this vulnerability poses a risk of compromise of user sessions and data leakage. Attackers exploiting this vulnerability could inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to credential theft, unauthorized actions on behalf of users, or distribution of malware. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR violations due to data breaches), and disrupt business operations. E-commerce sites, government portals, and media outlets using this plugin are particularly at risk. The scope change in the CVSS vector indicates that the impact could extend beyond the plugin itself, affecting the entire web application context. Given the medium severity and requirement for some privileges and user interaction, the threat is moderate but should not be underestimated, especially in environments with multiple contributors or editors who might be targeted to inject malicious content.

1. Immediate mitigation involves restricting user privileges to minimize the number of users who can input content that is rendered by WP fancybox. 2. Disable or remove the WP fancybox plugin if it is not essential to reduce the attack surface. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns related to XSS payloads targeting the plugin. 4. Monitor logs for unusual activity or attempts to inject scripts via the plugin’s input fields. 5. Educate content editors and administrators about the risks of injecting untrusted content and the importance of validating inputs. 6. Regularly update the plugin once a patch is released by the vendor. 7. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 8. Conduct security audits and penetration testing focusing on input validation and output encoding in the affected plugin components.