jQuery Colorbox

3.5 / 10

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Description

The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.

Basic Information

ID CVE-2025-3650

Source WPScan

Published Sep 12, 2025 at 06:00

Modified Sep 12, 2025 at 16:29

Affected Product

Vendor Unknown

Product jQuery Colorbox

Affected Versions Unknown jQuery Colorbox 0

CWE Classification

References

wpscan.com /vulnerability/5afdd448-0f7e-409e-a47b-8e5c5b707639/

{
    "lastseen": "",
    "description": "The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.",
    "published": "2025-09-12T06:00:03.695Z",
    "modified": "2025-09-12T16:29:28.056Z",
    "type": "cve",
    "title": "jQuery Colorbox <= 4.6.3 - Contributor+ Stored XSS",
    "source": "WPScan",
    "references": "https://wpscan.com/vulnerability/5afdd448-0f7e-409e-a47b-8e5c5b707639/",
    "id": "CVE-2025-3650",
    "bulletinFamily": "",
    "cwe": [
        ""
    ],
    "cvelist": null,
    "sourceData": "Unknown jQuery Colorbox 0",
    "sourceHref": "",
    "cvss": {
        "score": 3.5,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "jQuery Colorbox",
    "version": "0",
    "vendor": "Unknown",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

jQuery Colorbox <= 4.6.3 - Contributor+ Stored XSS_CVE-2025-3650