CVE-2025-8560

The FancyTabs plugin for WordPress, in all versions up to and including 1.1.0, contains a stored cross-site scripting (XSS) vulnerability. The root cause lies in the fancy_tab shortcode handler, which uses the title attribute directly in a sprintf() call without proper sanitization or output escaping. The resulting HTML is later echoed in the fancy_tabs function without escaping, as seen in the source code where $tab['title'] is inserted directly into the tab markup [1].

Exploitation requires an authenticated user with at least Contributor-level access. The attacker can craft a shortcode with a malicious title parameter containing JavaScript payloads. When the shortcode is processed, the payload is stored in the post content and later executed in the browsers of any user viewing the affected page. No additional privileges or user interaction beyond viewing the page is needed for the script to execute.

Successful injection allows the attacker to execute arbitrary web scripts in the context of the victim's session. This can lead to session hijacking, defacement,acement, or redirection to malicious sites. The impact is limited by the Contributor role requirement, but any user with the ability to create or edit posts can be a vector.

As of the publication date, the vulnerability remains unpatched in the latest version (1.1.0). Users are advised to remove or disable the plugin until a security update is released. No workaround is provided by the vendor. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.