Description

The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.

Remediation

References

CVE-2015-1494

Related Vulnerabilities

MediaWiki Missing Authorization Vulnerability (CVE-2019-12470)

WordPress Plugin Hot Files:File Sharing and Download Manager Cross-Site Scripting (1.0.0)

WordPress Plugin Search 10 times faster with Elasticsearch or Apache Solr with lots of data-WPSOLR Cross-Site Scripting (8.6)

MySQL CVE-2015-4792 Vulnerability (CVE-2015-4792)

Envoy Proxy Use After Free Vulnerability (CVE-2021-43825)

Severity

Medium

Classification

CVE-2015-1494 CWE-707

Tags

Missing Update Known Vulnerabilities