Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1.
Published: 2026-04-08
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The FSM Custom Featured Image Caption plugin contains a DOM‑based XSS flaw caused by improper sanitization of content that is reflected back to the user’s browser. An attacker can embed malicious script code into the caption text, which is then executed in a victim’s browser. The impact is the ability to execute arbitrary client‑side code, enabling session hijacking, defacement, or the delivery of malware to a user. This weakness is identified as CWE‑79.

Affected Systems

The vulnerability affects the WordPress plugin FSM Custom Featured Image Caption from any released version through 1.25.1, published by fesomia. Users who have the plugin installed on their WordPress site with a version equal to or lower than 1.25.1 are exposed to this issue.

Risk and Exploitability

With a CVSS score of 5.9 the exploitability is moderate; an attacker needs to lure a user to a crafted URL or otherwise inject malicious caption content. EPSS indicates less than 1% probability of exploitation, and there is no listing in the CISA KEV catalog, suggesting low current exploitation activity. The threat remains real, especially for high‑traffic sites that allow user‑generated captions.

Generated by OpenCVE AI on April 13, 2026 at 21:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the FSM Custom Featured Image Caption plugin to the latest version (1.25.2 or newer) as released by the vendor.
  • If an update is not immediately available, disable or remove the plugin until a patch is released.

Generated by OpenCVE AI on April 13, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Fesomia
Fesomia fsm Custom Featured Image Caption
Wordpress
Wordpress wordpress
Vendors & Products Fesomia
Fesomia fsm Custom Featured Image Caption
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1.
Title WordPress FSM Custom Featured Image Caption plugin <= 1.25.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Fesomia Fsm Custom Featured Image Caption
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:03.961Z

Reserved: 2026-04-07T10:58:16.464Z

Link: CVE-2026-39693

cve-icon Vulnrichment

Updated: 2026-04-13T18:53:57.559Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:41.647

Modified: 2026-04-24T18:05:35.730

Link: CVE-2026-39693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:29Z

Weaknesses