Home

Description

The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.

PUBLISHED Reserved 2025-04-15 | Published 2025-09-12 | Updated 2025-09-12 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status
affected

Any version
affected

Credits

Pierre Rudloff finder

WPScan coordinator

References

wpscan.com/...rability/5afdd448-0f7e-409e-a47b-8e5c5b707639/ exploit vdb-entry technical-description

cve.org (CVE-2025-3650)

nvd.nist.gov (CVE-2025-3650)

Download JSON