Description
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.
Remediation
References
Related Vulnerabilities
Jboss EAP Deserialization of Untrusted Data Vulnerability (CVE-2019-16943)
WordPress Plugin Starfish Review Generation & Marketing for WordPress Security Bypass (2.0.0)
WordPress Cross-Site Scripting Vulnerability (3.0 - 3.6.1)
WordPress Plugin MainWP Dashboard Unspecified Vulnerability (2.0.22)
WordPress Plugin My WP Translate Multiple Vulnerabilities (1.0.3)