CVE-2026-4665

Name of the Vulnerable Software and Affected Versions WP Carousel Free versions prior to 2.7.11

Description Stored Cross-Site Scripting occurs when the fancybox-config.js script reads the carousel container's id attribute directly from the DOM to construct a jQuery selector without sanitization. If a user with Contributor-level access or higher creates an HTML block with a malformed carousel container ID, the custom configuration fails, causing the bundled fancybox library (v3.5.7) to render the data-caption attribute as raw HTML. This allows authenticated attackers to inject arbitrary web scripts that execute when a user clicks an image in the crafted carousel lightbox.

Recommendations Update to a version later than 2.7.10.