Description
The FancyTabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-30
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply patch
AI Analysis

Impact

The FancyTabs plugin for WordPress is vulnerable to stored cross‑site scripting due to insufficient input sanitization of the title parameter. When an authenticated user with Contributor or higher permissions supplies malicious content, the plugin stores it unchanged and later renders it on pages, allowing arbitrary JavaScript to execute for any visitor who loads an affected page. The core weakness is a classic CWE‑79 reference‑owasp input/​output handling flaw.

Affected Systems

All installations of the FancyTabs plugin authored by GhostToast that use version 1.1.0 or earlier are affected. The CVE description does not provide a specific fixed version for newer releases.

Risk and Exploitability

The CVSS score of 6.4 categorizes the problem as a medium‑severity flaw. The EPSS value of less than 1% indicates that current exploitation attempts are unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack requires only an authenticated Contributor‑level account; once an attacker injects a script, it will run in the context of any site visitor, potentially allowing credential theft, defacement, or further exploitation. The primary attack vector is an authenticated web‑application request to the title field, and the impact is confined to the sites where the plugin is enabled.

Generated by OpenCVE AI on April 21, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the FancyTabs plugin to the latest version available from GhostToast.
  • If updating immediately is not possible, restrict Contributor and higher roles from using the title field in FancyTabs or disable the plugin on public‑facing pages.
  • Apply an additional input sanitization rule to strip or escape HTML from the title parameter until a patched version is deployed, thereby mitigating the XSS vector.

Generated by OpenCVE AI on April 21, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31694 The FancyTabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 30 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The FancyTabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title FancyTabs <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:31.495Z

Reserved: 2025-08-04T18:37:18.107Z

Link: CVE-2025-8560

cve-icon Vulnrichment

Updated: 2025-09-30T15:24:14.288Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:45.613

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:00:36Z

Weaknesses