Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox data-caption attributes in all versions up to, and including, 2.7.10. This is due to the fancybox-config.js script reading the carousel container's id attribute directly from the DOM to construct a jQuery selector without sanitization. When a Contributor crafts an HTML block with a malformed carousel container ID (containing characters invalid for jQuery selectors), the custom fancybox configuration throws a JavaScript error and fails to initialize. This causes the bundled fancybox library (v3.5.7) to fall back to its default caption handling, which renders the data-caption attribute content as raw HTML. Since WordPress allows data-* attributes through wp_kses_post(), this makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks an image in the crafted carousel lightbox.
AnalysisAI
Stored Cross-Site Scripting in WP Carousel Free plugin for WordPress affects all versions up to 2.7.10, allowing authenticated attackers with Contributor-level access to inject arbitrary JavaScript via malformed carousel container IDs in the fancybox data-caption attribute. The vulnerability arises when the fancybox configuration script fails to initialize due to unsanitized DOM selectors, causing the bundled fancybox library v3.5.7 to fall back to unsafe default caption handling that renders HTML directly. This enables script execution in the context of site visitors clicking images in the compromised carousel lightbox. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
The WP Carousel Free plugin bundles fancybox v3.5.7, a lightbox library for displaying images in overlays. The plugin's fancybox-config.js script reads the carousel container's id attribute directly from the DOM to dynamically construct jQuery selectors without input validation. When a Contributor creates a carousel with a malformed container ID containing characters invalid for jQuery syntax (such as spaces, special characters, or brackets), the custom configuration throws a JavaScript error that prevents initialization. This triggers fancybox's fallback behavior, which processes the data-caption attribute as raw HTML instead of plain text. WordPress's wp_kses_post() sanitization function permits data-* attributes by design, allowing the injected caption content to persist in the page DOM. When a user clicks an image in the affected carousel, the malicious script in the caption executes in the user's browser context, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).
RemediationAI
Update WP Carousel Free to a patched version released after 2.7.10 via the WordPress plugin dashboard (Plugins > Installed Plugins > WP Carousel Free > Update) or through wp-admin plugin management. The fix should sanitize or validate carousel container IDs before using them in jQuery selectors, and ensure fancybox falls back safely when configuration fails. As an immediate interim mitigation before patching, site administrators can restrict the Contributor role's ability to create or edit carousel blocks by adjusting post type capabilities using a role management plugin (e.g., User Role Editor), limiting XSS creation vectors to trusted users only - however, this reduces site functionality and is not a permanent solution. Alternatively, implement a Web Application Firewall (WAF) rule to block data-caption attributes containing script tags or event handlers before they reach storage, though this is complex and may break legitimate carousel use cases. The Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/e75815a3-2414-47f3-b0c4-e5d3e2cb369d provides additional technical detail and should be consulted for the exact patched version number once released.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27181