Stored Cross-Site Scripting in WP Carousel Free Plugin for WordPress
CVE-2026-4665

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Carousel, Slider, Photo Gallery With Lightbox, Video Slider, By WP Carousel
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-4665?

The WP Carousel Free plugin for WordPress contains a vulnerability that allows authenticated attackers with Contributor-level access to inject arbitrary scripts into web pages. This occurs through the improper handling of the data-caption attribute in the fancybox integration. When a malformed carousel container ID is crafted, it leads to a failure in initializing the custom fancybox configuration, causing it to default to handling the data-caption content as raw HTML. Consequently, this allows the execution of malicious scripts when users interact with the carousel's images.

Affected Version(s)

Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel 0 <= 2.7.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-carousel-fr...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

Craig Smith

CVE-2026-4665 Data

JSON