Description
Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Image Carousel, a WordPress plugin developed by GhozyLab, contains a Contributor Cross Site Scripting flaw in all releases up to version 1.0.0.41. The vulnerability allows an attacker to inject arbitrary client‑side script into web pages that load the plugin, potentially leading to session hijacking, credential theft, or defacement. The weakness is a classic input validation failure and is classified as CWE‑79.

Affected Systems

WordPress sites using the GhozyLab Image Carousel plugin, specifically any installation whose plugin version is 1.0.0.41 or earlier. No other WordPress core components are affected.

Risk and Exploitability

The CVSS score of 6.5 places this vulnerability in the medium severity range. Although no EPSS score is published, the lack of a KEV listing suggests that widespread exploitation has not yet been observed. Attackers could exploit the flaw by supplying a malicious payload through the plugin’s input fields and have it rendered by unsuspecting users who view the affected content. The primary limitation is that an attacker must be able to inject into the plugin’s form or data source, so users with only read‑only access might not be able to trigger the issue.

Generated by OpenCVE AI on June 26, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official update for the GhozyLab Image Carousel plugin (any version newer than 1.0.0.41).
  • If an immediate update is not feasible, remove or disable the plugin’s user‑generated content feature, ensuring that only trusted administrators can configure it.
  • Implement a strict Content‑Security‑Policy that blocks inline script execution and enforces a trusted source whitelist for the site.

Generated by OpenCVE AI on June 26, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions.
Title WordPress Image Carousel plugin <= 1.0.0.41 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:48:49.567Z

Reserved: 2025-12-15T10:01:24.072Z

Link: CVE-2025-68074

cve-icon Vulnrichment

Updated: 2026-06-26T15:48:43.791Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:30:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')