Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-05
CVE-2026-4665 - Wp Carousel Free Plugin
The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox `data-caption` attributes in all versions up to, and including, 2.7.10. This is due to the `fancybox-config.js` script reading the carousel container's `id` attribute directly from the DOM to construct a jQuery selector without sanitization. When a Contributor crafts an HTML block with a malformed carousel container ID (containing characters invalid for jQuery selectors), the custom fancybox configuration throws a JavaScript error and fails to initialize. This causes the bundled fancybox library (v3.5.7) to fall…
PLUGIN
Wp Carousel Free
CVE-2026-4665
Risk Score