Skip to main content

Fsm Custom Featured Image Caption EUVDEUVD-2026-20389

| CVE-2026-39693 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-48m9-5wrg-38p7
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:44 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
5.9 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20389
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1.

AnalysisAI

DOM-based cross-site scripting in fesomia FSM Custom Featured Image Caption WordPress plugin versions up to 1.25.1 allows authenticated administrators with high privileges to inject malicious scripts via improper input neutralization during featured image caption generation. The vulnerability requires user interaction (UI:R) and high administrator privileges (PR:H), limiting real-world risk despite the network-accessible attack vector. EPSS exploitation probability is very low at 0.03% percentile rank, and no public exploit code or active exploitation has been identified.

Technical ContextAI

This vulnerability exploits improper output encoding in WordPress plugin code responsible for generating and displaying featured image captions in the DOM (Document Object Model). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-controlled input is inserted into HTML or JavaScript contexts without proper escaping or sanitization. The WordPress plugin (CPE: cpe:2.3:a:fesomia:fsm_custom_featured_image_caption) fails to neutralize special characters or script tags when rendering caption data to the client-side DOM, allowing injected JavaScript to execute in the browser context of other administrators who view the affected page. This is specifically a DOM-based XSS variant rather than stored or reflected, meaning the malicious payload is processed client-side within the page structure itself.

RemediationAI

Update FSM Custom Featured Image Caption plugin to version 1.25.2 or later, which patches the DOM-based XSS vulnerability through proper input neutralization and output encoding of featured image captions. WordPress administrators should access the Plugins section of their dashboard, locate FSM Custom Featured Image Caption, and apply the available update immediately. Organizations unable to patch immediately should restrict the featured image caption functionality to trusted administrators only and disable the plugin if it is not actively used. Verification of the patch can be confirmed via the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/fsm-custom-featured-image-caption/.

Share

EUVD-2026-20389 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy