FSM Custom Featured Image Caption <= 1.25.1 – Authenticated (Author+) Stored Cross-Site Scripting | CVE 2026-39693 | Plugin Vulnerabilities

Description

The FSM Custom Featured Image Caption plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.25.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

fsm-custom-featured-image-caption

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e4af4769-f897-4d44-93d4-9dbb6f142678

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Nabil Irawan

Verified

No

WPVDB ID

469fc8f3-2ebc-47b9-a542-f23b8327db17

Timeline

Publicly Published

2026-02-25 (about 3 months ago)

Added

2026-04-15 (about 1 month ago)

Last Updated

2026-04-15 (about 1 month ago)

Other

Published

Title

Published

2025-05-01

Title

Blog2Social: Social Media Auto Post & Scheduler < 8.4.0 - Contributor+ Stored XSS

Published

2021-09-10

Title

Avada < 7.4.2 - Stored Cross-Site Scripting

Published

2025-10-16

Title

Estatik <= 4.3.0 - Contributor+ Stored XSS

Published

2023-10-27

Title

Magic Embeds < 3.1.2 - Contributor+ Stored XSS via shortcode

Published

2022-03-09

Title

WP HTML Mail < 3.1.3 - Reflected Cross-Site Scripting