CVE-2026-4665 WP Carousel Free <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-caption' Attribute

The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox data-caption attributes in all versions up to, and including, 2.7.10. This is due to the fancybox-config.js script reading the carousel container's id attribute directly from the DOM to...

CVE-2026-4665 WP Carousel Free <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-caption' Attribute

The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox data-caption attributes in all versions up to, and including, 2.7.10. This is due to the fancybox-config.js script reading the carousel container's id attribute directly from the DOM to...

PT-2026-36965

The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox data-caption attributes in all versions up to, and including, 2.7.10. This is due to the fancybox-config.js script reading the carousel container's id attribute directly from the DOM to...

CVE-2025-4776

The Phlox theme for WordPress (Phlox) is affected by CVE-2025-4776: a Stored XSS via the data-caption attribute in Phlox versions up to and including 2.17.7. Exploitation requires authentication with Contributor-level access or higher and can allow injection of arbitrary scripts that run when use...

CVE-2025-4776 Phlox <= 2.17.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-caption` HTML Attribute

The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the data-caption HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

PT-2026-1417

Name of the Vulnerable Software and Affected Versions Phlox theme for WordPress versions through 2.17.7 Description The Phlox theme for WordPress is susceptible to Stored Cross-Site Scripting through the data-caption HTML attribute. Insufficient input sanitization and output escaping allow...

WordPress Phlox plugin <= 2.17.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-caption` HTML Attribute vulnerability

Software : Phlox Type : Theme Vulnerable versions : = 2.17.7 Fixed in : 2.17.11 OWASP Top 10 : A3: Injection Classification : Cross Site Scripting XSS CVE ID : CVE-2025-4776 Patchstack priority : Low CVSS severity : 6.5 Required privilege : Contributor Developer : Claim ownership PSID :...

WordPress Phlox plugin <= 2.17.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-caption` HTML Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via data-caption HTML Attribute vulnerability discovered by Webbernaut in WordPress Theme Phlox versions = 2.17.7...

CVE-2025-11801

The AudioTube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' shortcode attribute of the 'audiotube' shortcode in all versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-11801

The AudioTube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' shortcode attribute of the 'audiotube' shortcode in all versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-11801

The AudioTube WordPress plugin (versions

EUVD-2025-198399

The AudioTube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' shortcode attribute of the 'audiotube' shortcode in all versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping. This makes it possible for...

PT-2025-47685

The AudioTube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' shortcode attribute of the 'audiotube' shortcode in all versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-12691

The Photonic Gallery & Lightbox for Flickr, SmugMug & Others plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightbox functionality in all versions up to, and including, 3.21 due to insufficient input sanitization and output escaping on user supplied caption...

CVE-2025-12691

The CVE-2025-12691 entry concerns the Photonic Gallery & Lightbox for Flickr, SmugMug & Others WordPress plugin (versions &lt;= 3.21). The connected Wordfence report confirms a stored cross-site scripting flaw in the lightbox caption attribute, exploitable by authenticated users with contributor+...

CVE-2025-12691 Photonic Gallery & Lightbox for Flickr, SmugMug & Others <= 3.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via Caption Attribute

The Photonic Gallery & Lightbox for Flickr, SmugMug & Others plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightbox functionality in all versions up to, and including, 3.21 due to insufficient input sanitization and output escaping on user supplied caption...

WordPress Photonic Gallery & Lightbox for Flickr, SmugMug & Others plugin <= 3.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via Caption Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Caption Attribute vulnerability discovered by Webbernaut in WordPress Plugin Photonic Gallery & Lightbox for Flickr, SmugMug & Others versions = 3.21...

CVE-2025-5944 Element Pack Addons for Elementor <= 8.0.0 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via data-caption Attribute

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-caption’ attribute in all versions up to, and including, 8.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-5944

CVE-2025-5944 affects the Element Pack Addons for Elementor WordPress plugin (versions up to 8.0.0). The vulnerability is a Stored/DOM-Based Cross-Site Scripting via the data-caption attribute, exploitable by authenticated users with Contributor-level access or higher. The root cause is insuffici...