CVE-2025-28935

CVE-2025-28935 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Fancybox Plus WordPress plugin (fancybox-plus component) developed by puzich. This issue impacts all versions from n/a through 1.0.1, as published on 2025-03-26.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation is possible over the network with low attack complexity, no required privileges, but necessitating user interaction such as clicking a malicious link. Remote attackers can deliver payloads via reflected inputs, enabling arbitrary script execution in the victim's browser context with changed scope, potentially compromising low levels of confidentiality, integrity, and availability, such as session hijacking or data theft.

The primary advisory from Patchstack (https://patchstack.com/database/Wordpress/Plugin/fancybox-plus/vulnerability/wordpress-fancybox-plus-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS in Fancybox Plus version 1.0.1 for WordPress, providing details on the issue for practitioners to review mitigation guidance and available patches.