CVE-2026-4665
Deferred Deferred - Pending Action
Stored XSS in WP Carousel Free WordPress Plugin

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox `data-caption` attributes in all versions up to, and including, 2.7.10. This is due to the `fancybox-config.js` script reading the carousel container's `id` attribute directly from the DOM to construct a jQuery selector without sanitization. When a Contributor crafts an HTML block with a malformed carousel container ID (containing characters invalid for jQuery selectors), the custom fancybox configuration throws a JavaScript error and fails to initialize. This causes the bundled fancybox library (v3.5.7) to fall back to its default caption handling, which renders the `data-caption` attribute content as raw HTML. Since WordPress allows `data-*` attributes through `wp_kses_post()`, this makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks an image in the crafted carousel lightbox.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4665
EUVD
EUVD-2026-27181
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_carousel wp_carousel_free to 2.7.10 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP Carousel Free plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to 2.7.10. This happens because the plugin's fancybox-config.js script reads the carousel container's id attribute directly from the DOM without sanitizing it. If a Contributor-level user creates a carousel container with a malformed ID containing characters invalid for jQuery selectors, the custom fancybox configuration fails and throws a JavaScript error.

As a result, the fancybox library falls back to its default caption handling, which renders the data-caption attribute content as raw HTML. Since WordPress allows data-* attributes through wp_kses_post(), this enables authenticated attackers with Contributor-level access or higher to inject arbitrary scripts into pages. These scripts execute whenever a user clicks an image in the crafted carousel lightbox.

Impact Analysis

This vulnerability allows authenticated users with Contributor-level access or above to inject malicious scripts into WordPress pages via the carousel's data-caption attribute. These scripts execute when other users interact with the carousel images, potentially leading to unauthorized actions such as stealing session cookies, defacing content, or performing actions on behalf of other users.

Because the vulnerability involves stored cross-site scripting, the malicious code persists on the site and affects multiple users, increasing the risk and impact.

Detection Guidance

This vulnerability involves the WP Carousel Free plugin for WordPress versions up to 2.7.10 and is triggered by crafted fancybox data-caption attributes causing JavaScript errors and fallback to unsafe caption rendering.

Detection would involve checking if the vulnerable plugin version is installed and active on your WordPress site.

Since the vulnerability is triggered by malformed carousel container IDs and data-caption attributes, you can inspect the HTML source of pages using the carousel for suspicious or malformed data-caption attributes.

There are no specific commands provided in the available resources to detect this vulnerability on your network or system.

Mitigation Strategies

Immediate mitigation steps include updating the WP Carousel Free plugin to a version later than 2.7.10 where this vulnerability is fixed.

If an update is not immediately available, restrict Contributor-level access or higher to trusted users only, as the vulnerability requires authenticated users with Contributor-level access or above to exploit.

Additionally, monitor and sanitize any carousel container IDs and data-caption attributes to prevent injection of malicious scripts.

Compliance Impact

The vulnerability allows authenticated users with Contributor-level access to inject arbitrary web scripts via stored cross-site scripting (XSS) in the WP Carousel Free plugin. This could lead to unauthorized script execution when users interact with the carousel images.

Such unauthorized script execution can potentially lead to data exposure or manipulation, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal data and preventing unauthorized access.

However, the provided information does not explicitly detail the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4665. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart