Does FancyBox have any unpatched vulnerabilities?

Yes — FancyBox currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is FancyBox compatible with WordPress 3.5.2?

According to WordPress.org data, FancyBox 1.1.0 has been tested up to WordPress 3.5.2. Check the plugin's changelog for the latest compatibility information.

How often is FancyBox updated?

FancyBox was last updated on Nov 28, 2017. Frequent updates are generally a positive security signal.

What is FancyBox's security score?

FancyBox has a WP-Safety security score of 64/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

FancyBox Security & Risk Analysis

wordpress.org/plugins/fancy-box

Enables fancybox on all image links including BMP, GIF, JPG, JPEG, and PNG links.

4K active installs v1.1.0 PHP + WP 2.7+ Updated Nov 28, 2017

fancyboximagesjavascriptlightbox

C · Use Caution

CVEs total1

Unpatched1

Last CVEMar 21, 2025

Plugin page Download

Safety Verdict

Is FancyBox Safe to Use in 2026?

Use With Caution

Score 64/100

FancyBox has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Mar 21, 2025Updated 8yr ago

Risk Assessment

The "fancy-box" v1.1.0 plugin exhibits a seemingly strong static security posture. The absence of detected dangerous functions, file operations, external HTTP requests, and a complete reliance on prepared statements for SQL queries are positive indicators. Furthermore, all identified outputs are properly escaped, and the taint analysis shows no vulnerabilities. However, the plugin's vulnerability history presents a significant concern. With one known and currently unpatched CVE, specifically a medium-severity Cross-Site Scripting (XSS) vulnerability, the overall security risk escalates considerably. The fact that the last vulnerability was reported in the future (2025-03-21) is an anomaly that requires further investigation but, assuming it represents a real historical issue, it points to a pattern of past security weaknesses that have not been remediated in this version. While the code itself appears clean in static analysis, the unaddressed CVE overshadows these strengths, indicating that users are exposed to known risks.

Key Concerns

Currently unpatched CVE exists
Medium severity CVE history

Vulnerabilities

FancyBox Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-28935medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FancyBox <= 1.0.1 - Reflected Cross-Site Scripting

Mar 21, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

FancyBox Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Attack Surface

FancyBox Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 3

actionwp_enqueue_scriptsfancybox.php:41

actionwp_enqueue_scriptsfancybox.php:42

actionwp_headfancybox.php:43

Maintenance & Trust

FancyBox Maintenance & Trust

Maintenance Signals

WordPress version tested3.5.2

Last updatedNov 28, 2017

PHP min version

Downloads286K

Community Trust

Rating56/100

Number of ratings9

Active installs4K

Alternatives

FancyBox Alternatives

FancyBox for WordPress

fancybox-for-wordpress

Seamlessly integrates FancyBox lightbox into your WordPress blog: Upload, activate, and you're done. Additional configuration optional.

40K 3 CVEs

PhotoSwipe

photo-swipe

A very light implementation of PhotoSwipe javascript plugin for WordPress

1K No CVEs

Shutter Reloaded

shutter-reloaded

Darkens the current page and displays an image (like Lightbox, Thickbox, etc.), but is a lot smaller (10KB) and faster.

1K No CVEs

Slimbox

slimbox

Enables slimbox 2.03 on all image links including BMP, GIF, JPG, JPEG, and PNG links.

700 No CVEs

Slimbox Plugin

slimbox-plugin

Plugin used to overlay images on the current page into neat Javascript-powered overlay popups.

600 No CVEs

Developer Profile

FancyBox Developer Profile

Kevin Sylvestre

2 plugins · 5K total installs

trust score

Avg Security Score

75/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect FancyBox

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/fancy-box/jquery.fancybox.css/fancy-box/jquery.fancybox.js/fancy-box/jquery.easing.js

Version Parameters

fancy-box/jquery.fancybox.css?ver=fancy-box/jquery.fancybox.js?ver=fancy-box/jquery.easing.js?ver=

HTML / DOM Fingerprints

Data Attributes

rel="fancybox"

JS Globals

jQuery

FAQ