Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1.
AnalysisAI
DOM-based cross-site scripting in fesomia FSM Custom Featured Image Caption WordPress plugin versions up to 1.25.1 allows authenticated administrators with high privileges to inject malicious scripts via improper input neutralization during featured image caption generation. The vulnerability requires user interaction (UI:R) and high administrator privileges (PR:H), limiting real-world risk despite the network-accessible attack vector. EPSS exploitation probability is very low at 0.03% percentile rank, and no public exploit code or active exploitation has been identified.
Technical ContextAI
This vulnerability exploits improper output encoding in WordPress plugin code responsible for generating and displaying featured image captions in the DOM (Document Object Model). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-controlled input is inserted into HTML or JavaScript contexts without proper escaping or sanitization. The WordPress plugin (CPE: cpe:2.3:a:fesomia:fsm_custom_featured_image_caption) fails to neutralize special characters or script tags when rendering caption data to the client-side DOM, allowing injected JavaScript to execute in the browser context of other administrators who view the affected page. This is specifically a DOM-based XSS variant rather than stored or reflected, meaning the malicious payload is processed client-side within the page structure itself.
RemediationAI
Update FSM Custom Featured Image Caption plugin to version 1.25.2 or later, which patches the DOM-based XSS vulnerability through proper input neutralization and output encoding of featured image captions. WordPress administrators should access the Plugins section of their dashboard, locate FSM Custom Featured Image Caption, and apply the available update immediately. Organizations unable to patch immediately should restrict the featured image caption functionality to trusted administrators only and disable the plugin if it is not actively used. Verification of the patch can be confirmed via the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/fsm-custom-featured-image-caption/.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20389
GHSA-48m9-5wrg-38p7