Floragasse 7 – 5th floor, 1040 Vienna
Subscribe to our Newsletter


SBA Security Advisory – Easy FancyBox WordPress Plugin – Stored Cross-site Scripting (XSS) (CVE-2019-16524)

Vulnerability Overview

The Easy FancyBox WordPress Plugin Version 1.8.17 is susceptible to Stored Cross-site Scripting in the Settings > Media admin page /wp-admin/options-media.php due to improper encoding of arbitrarily submitted setting parameters. The vulnerability affects every publicly accessible page of the WordPress site.

  • Type of Vulnerability: Cross-site Scripting
  • Fixed in Version: 1.8.18
  • CVSSv3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
  • CVSSv3.1 Base Score: 3.5 (Low)

Recommended Countermeasure

We recommend to update Easy FancyBox WordPress Plugin to version 1.8.18 or later. For further details, see the full security advisory.


Full Security Advisory