CVE-2025-3662 is a stored Cross-Site Scripting (XSS) vulnerability affecting the FancyBox for WordPress plugin versions prior to 3.3.6. FancyBox is a popular plugin used to create image galleries with captions and titles on WordPress sites. The vulnerability arises because the plugin fails to properly escape the captions and titles attributes before rendering them in gallery caption fields. This improper sanitization allows an attacker to inject malicious JavaScript code that is stored persistently within the gallery metadata. Notably, the vulnerability was initially reported as requiring contributor-level privileges but was escalated to an unauthenticated stored XSS, meaning an attacker does not need to be logged in or have any privileges to exploit it. When a victim visits a page containing the malicious gallery, the injected script executes in their browser context, potentially leading to session hijacking, defacement, or other client-side attacks. The CVSS 3.1 base score is 6.1 (medium severity), reflecting that the attack vector is network-based with low attack complexity, no privileges required, but requiring user interaction (victim visiting the page). The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable plugin, possibly impacting the broader WordPress site or user sessions. No known exploits are currently reported in the wild, and no official patch links are provided yet, but the fixed version is 3.3.6 or later. This vulnerability falls under CWE-79, a common and dangerous web application security weakness related to improper input validation and output encoding.

For European organizations using WordPress sites with the FancyBox plugin, this vulnerability poses a significant risk to website visitors and potentially to site administrators. Exploitation could lead to theft of user credentials, session tokens, or other sensitive information through malicious script execution. This can result in account compromise, unauthorized actions on behalf of users, or reputational damage due to defacement or phishing. Since WordPress powers a substantial portion of websites across Europe, including corporate, governmental, and e-commerce platforms, the impact could be widespread. Attackers could leverage this vulnerability to target customers or employees, especially if the affected sites handle sensitive data or provide critical services. The unauthenticated nature of the exploit increases risk, as attackers do not need credentials to inject malicious content. Additionally, the scope change in the CVSS vector suggests that the vulnerability could affect multiple components or users beyond the initial injection point, amplifying potential damage. Although no active exploits are known yet, the medium severity score and ease of exploitation warrant prompt attention to prevent future attacks.

European organizations should immediately verify if their WordPress sites use the FancyBox plugin and identify the installed version. If the version is prior to 3.3.6, they should prioritize upgrading to the latest patched version as soon as it becomes available. In the interim, organizations can implement Web Application Firewall (WAF) rules to detect and block suspicious inputs targeting gallery captions and titles, focusing on common XSS payload patterns. Content Security Policy (CSP) headers should be enforced to restrict the execution of inline scripts and reduce the impact of any injected malicious code. Site administrators should audit user-generated content and sanitize existing gallery captions to remove potentially malicious scripts. Additionally, monitoring web server logs and user reports for unusual activity or complaints related to site behavior can help detect exploitation attempts early. Educating content contributors about safe input practices and restricting upload permissions to trusted users can also reduce risk. Finally, organizations should maintain regular backups and have an incident response plan ready to address any compromise resulting from this vulnerability.