CVE-2026-39693
DOM-Based XSS in FSM Custom Featured Image Caption Plugin
Publication date: 2026-04-08
Last updated on: 2026-04-13
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fesomia | fsm_custom_featured_image_caption | to 1.25.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39693 is a Cross Site Scripting (XSS) vulnerability found in the WordPress FSM Custom Featured Image Caption Plugin, affecting versions up to and including 1.25.1.
This vulnerability allows an attacker to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto a website, which execute when visitors access the site.
Exploitation requires a privileged user (such as an author or developer) to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form.
The vulnerability falls under the OWASP Top 10 category A3: Injection, specifically Cross Site Scripting.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts on your website, potentially leading to unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.
Such script execution can compromise the integrity and trustworthiness of your website for visitors.
However, exploitation requires a privileged user to interact with malicious content, and the overall impact is considered low severity and unlikely to be widely exploited.
No official patch is currently available, so immediate mitigation involves updating the affected plugin or seeking assistance from your hosting provider or web developer.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a DOM-Based Cross Site Scripting (XSS) issue in the FSM Custom Featured Image Caption WordPress plugin up to version 1.25.1. Detection typically involves identifying if the vulnerable plugin version is installed and if malicious scripts are being injected or executed.
Since no official patch is available and the vulnerability requires a privileged user action, detection can include checking the plugin version and monitoring for suspicious script injections or unusual behavior on pages generated by the plugin.
Specific commands to detect the vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the FSM Custom Featured Image Caption plugin to a version newer than 1.25.1 if such an update becomes available.
If updating is not possible, users are advised to seek assistance from their hosting provider or web developer to implement temporary mitigations or workarounds.
Monitoring and restricting privileged user actions that could trigger the vulnerability can also help reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-39693 is a Cross Site Scripting (XSS) vulnerability that allows attackers to inject malicious scripts into a website, which can execute when visitors access the site.
Such vulnerabilities can potentially lead to unauthorized access to user data or manipulation of website content, which may impact compliance with data protection regulations like GDPR or HIPAA by exposing personal or sensitive information.
However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these standards or regulations.