VYPR

Wp Carousel Free

by WordPress

Source repositories

CVEs (6)

  • CVE-2024-3020HigApr 10, 2024
    risk 0.40cvss 7.2epss 0.01

    The plugin is vulnerable to PHP Object Injection in versions up to and including, 2.6.3 via deserialization of untrusted input in the import function via the 'shortcode' parameter. This allows authenticated attackers, with administrator-level access to inject a PHP Object. If a…

  • CVE-2026-4665MedMay 5, 2026
    risk 0.35cvss 6.4epss 0.00

    The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox `data-caption` attributes in all versions up to, and including, 2.7.10. This is due to the `fancybox-config.js` script reading the carousel container's `id` attribute…

  • CVE-2024-4002May 15, 2025
    risk 0.00cvss epss 0.00

    The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is…

  • CVE-2024-13331Feb 4, 2025
    risk 0.00cvss epss 0.01

    The WP Dream Carousel WordPress plugin through 1.0.1b does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

  • CVE-2023-0589Mar 27, 2023
    risk 0.00cvss epss 0.00

    The WP Image Carousel WordPress plugin through 1.0.2 does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.

  • CVE-2022-4482Jan 16, 2023
    risk 0.00cvss epss 0.00

    The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.5.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting…