CVE-2026-39693

The FSM Custom Featured Image Caption plugin for WordPress versions up to and including 1.25.1 contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary JavaScript or HTML into the plugin's output, which is then executed in the context of the victim's browser.

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a specially crafted form [1]. The attack vector is network-based, and user interaction is necessary for successful compromise. The vulnerability is classified as DOM-Based XSS, meaning the payload is executed client-side through DOM manipulation rather than server-side reflection.

Successful exploitation could allow an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads, which would execute when other users visit the affected site [1]. This can lead to defacement, credential theft, or further compromise of the affected WordPress site. The CVSS v3 base score is 5.9 (Medium), reflecting the need for user interaction and the potential for widespread impact in mass-exploit campaigns [1].

As an immediate mitigation, users should update the plugin to a patched version beyond 1.25.1 [1]. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance. The vulnerability is known to be used in automated attacks targeting thousands of websites, regardless of site size or popularity [1].