SBA Security Advisory – Easy FancyBox WordPress Plugin – Stored Cross-site Scripting (XSS) (CVE-2019-16524)
Vulnerability Overview
The Easy FancyBox WordPress Plugin Version 1.8.17 is susceptible to Stored Cross-site Scripting in the Settings > Media admin page /wp-admin/options-media.php
due to improper encoding of arbitrarily submitted setting parameters. The vulnerability affects every publicly accessible page of the WordPress site.
- Type of Vulnerability: Cross-site Scripting
- Fixed in Version: 1.8.18
- CVE ID: CVE-2019-16524
- CVSSv3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
- CVSSv3.1 Base Score: 3.5 (Low)
Recommended Countermeasure
We recommend to update Easy FancyBox WordPress Plugin to version 1.8.18 or later. For further details, see the full security advisory.
Links
Credits
- Jakob Hagl (SBA Research)