The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox `data-caption` attributes in all versions up to, and including, 2.7.10. This is due to the `fancybox-config.js` script reading the carousel container's `id` attribute directly from the DOM to construct a jQuery selector without sanitization. When a Contributor crafts an HTML block with a malformed carousel container ID (containing characters invalid for jQuery selectors), the custom fancybox configuration throws a JavaScript error and fails to initialize. This causes the bundled fancybox library (v3.5.7) to fall back to its default caption handling, which renders the `data-caption` attribute content as raw HTML. Since WordPress allows `data-*` attributes through `wp_kses_post()`, this makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks an image in the crafted carousel lightbox.
The WP Carousel Free WordPress plugin versions up to 2.7.10 contain a Stored Cross-Site Scripting vulnerability in fancybox data-caption attributes due to unsanitized DOM manipulation. Authenticated contributors can inject malicious scripts through crafted carousel container IDs that bypass jQuery selector validation.
ثغرة XSS المخزنة في إضافة WP Carousel Free تسمح للمستخدمين المصرحين بمستوى المساهم أو أعلى بحقن برامج نصية ضارة. تحدث الثغرة عندما تفشل معالجة معرف حاوية الكاروسيل في التحقق من الصحة، مما يؤدي إلى عودة مكتبة fancybox إلى معالجة البيانات الافتراضية التي تعرض محتوى data-caption كـ HTML خام.
WP Carousel Free plugin for WordPress up to version 2.7.10 is vulnerable to Stored XSS attacks via fancybox data-caption attributes. Attackers with Contributor access can inject malicious HTML/JavaScript through improperly validated carousel container IDs.
Update WP Carousel Free plugin to version 2.7.11 or later immediately. Implement strict input validation and sanitization for carousel container IDs. Apply Content Security Policy headers to restrict inline script execution. Review user permissions and limit Contributor-level access to trusted users only.
قم بتحديث إضافة WP Carousel Free إلى الإصدار 2.7.11 أو أحدث فوراً. طبق التحقق الصارم من صحة المدخلات وتنظيف معرفات حاويات الكاروسيل. طبق رؤوس سياسة أمان المحتوى لتقييد تنفيذ البرامج النصية المضمنة. راجع صلاحيات المستخدمين وقيد الوصول على مستوى المساهم للمستخدمين الموثوقين فقط.