WP Carousel Free Stored Cross-Site Scripting Vulnerability in WordPress

A stored cross-site scripting vulnerability has been identified in the WP Carousel Free plugin for WordPress, affecting all versions through 2.7.10. The issue arises because the 'fancybox-config.js' script directly reads the carousel container's 'id' attribute from the DOM to create a jQuery selector, without proper sanitization. This allows authenticated attackers with Contributor-level access and above to inject arbitrary scripts via the 'data-caption' attribute of the fancybox, which are executed when a user interacts with the carousel lightbox.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user interacting with the carousel lightbox.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can create an HTML block containing a malformed carousel container ID. This ID should include characters that are invalid for jQuery selectors. Once the block is published, the fancybox will fail to initialize properly, causing it to revert to default settings that allow 'data-caption' attributes to be processed as raw HTML. This creates an opportunity to inject scripts, which will run when the 'data-caption' is triggered in the lightbox.

Remediation

Users are advised to update the WP Carousel Free plugin to version 2.7.11 or later.