CVE-2025-3650: jQuery Colorbox <= 4.6.3 - Contributor+ Stored XSS

Q: What is the severity of CVE-2025-3650?

CVE-2025-3650 is categorized as a medium severity vulnerability due to its potential for XSS attacks.

Q: How do I fix CVE-2025-3650?

To fix CVE-2025-3650, update the jQuery Colorbox WordPress plugin to version 4.6.4 or later.

Q: Which version of jQuery Colorbox is affected by CVE-2025-3650?

jQuery Colorbox versions up to and including 4.6.3 are affected by CVE-2025-3650.

Q: What type of attack does CVE-2025-3650 enable?

CVE-2025-3650 enables cross-site scripting (XSS) attacks for users with contributor roles.

Q: Who can exploit CVE-2025-3650?

Users with at least contributor privileges can exploit CVE-2025-3650 to conduct XSS attacks against administrators.

Published Sep 12, 2025

Updated

The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.

Affected Software

1 affected component

jQuery Colorbox<=4.6.3

Event History

Sep 12, 2025

CVE Published

via MITRE·06:00 AM

Data Sourced

via MITRE·06:00 AM

DescriptionWeakness

Data Sourced

via NVD·06:15 AM

DescriptionSeverity

Frequently Asked Questions

What is the severity of CVE-2025-3650?

CVE-2025-3650 is categorized as a medium severity vulnerability due to its potential for XSS attacks.

How do I fix CVE-2025-3650?

To fix CVE-2025-3650, update the jQuery Colorbox WordPress plugin to version 4.6.4 or later.

Which version of jQuery Colorbox is affected by CVE-2025-3650?

jQuery Colorbox versions up to and including 4.6.3 are affected by CVE-2025-3650.

What type of attack does CVE-2025-3650 enable?

CVE-2025-3650 enables cross-site scripting (XSS) attacks for users with contributor roles.

Who can exploit CVE-2025-3650?