What is CVE-2025-3650?

CVE-2025-3650 is a publicly disclosed cybersecurity vulnerability with a LOW severity rating and CVSS score of 3.5.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-2025-3650

LOW3.5/ 10.0

Published: September 12, 2025 at 06:15 AM

Modified: September 15, 2025 at 03:21 PM

Source: contact@wpscan.com

Vulnerability Description

The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.

CVSS Metrics

Base Score

3.5

Severity

LOW

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

AI Security Analysis

01 // Technical Summary

WordPress websites using the vulnerable jQuery Colorbox plugin (through 4.6.3) are susceptible to Cross-Site Scripting (XSS) attacks. Attackers with contributor-level access can inject malicious JavaScript into the plugin's title attributes, potentially allowing them to steal administrator credentials or defacement of the website.

02 // Vulnerability Mechanism

Step 1: Payload Creation: An attacker, with contributor-level privileges, crafts a malicious link with a crafted title attribute containing JavaScript code (e.g., <a href="#" title="<img src=x onerror=alert(document.cookie)>">).

Step 2: Payload Insertion: The attacker inserts the malicious link into a WordPress post or page using the Colorbox plugin's functionality.

Step 3: Administrator Interaction: An administrator views the post or page containing the malicious link. The Colorbox plugin renders the link and its title attribute.

Step 4: XSS Execution: When the administrator interacts with the link (e.g., by clicking it or hovering over it, depending on the plugin's configuration), the malicious JavaScript within the title attribute is executed in the administrator's browser context.

Step 5: Impact: The executed JavaScript can perform various malicious actions, such as stealing the administrator's session cookies, redirecting the administrator to a phishing site, or defacing the website.

03 // Deep Technical Analysis

The vulnerability stems from a lack of proper input sanitization within the jQuery Colorbox plugin when handling title attributes of links. Specifically, the plugin fails to escape or filter malicious JavaScript code embedded within the title attribute before rendering it within the colorbox library. This allows an attacker to inject arbitrary HTML and JavaScript, which is then executed in the context of the administrator's browser when they view the page containing the crafted link. The root cause is a missing or inadequate implementation of HTML escaping or input validation on the title attribute before it is passed to the colorbox library for display. This allows for the execution of arbitrary JavaScript code, leading to XSS.