CVE-2025-3650

Vulnerability

Analysis

The jQuery Colorbox WordPress plugin through version 4.6.3 contains a stored cross-site scripting (XSS) vulnerability due to insufficient sanitization of title attributes on links [1]. The colorbox library, which the plugin includes, does not properly clean the title attribute before using it in the user interface. This flaw means that any user with at least the contributor role can inject arbitrary JavaScript through the link title field, which will then be executed in the browser of an administrator viewing the compromised content.

Exploitation

To exploit this vulnerability, an attacker must have a WordPress account with contributor-level privileges or higher [1]. The attack requires no special network position; the malicious payload is stored within a link's title attribute and will trigger when an administrator visits the page where the link is displayed. The XSS is persistent (stored), meaning the payload remains in the database and affects every subsequent view.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of an authenticated administrator's session [1]. This can lead to session hijacking, privilege escalation, defacement, or theft of sensitive data. Because the attack targets administrators, the potential impact is elevated even though the severity rating (CVSS 3.5) is low.

Mitigation

As of the publication date, no fix is available for this vulnerability [1]. The plugin appears to be no longer maintained, and users are advised to remove or replace the plugin with an alternative that properly sanitizes user input. There is no evidence that this CVE has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.