{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39693", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:16.464Z", "datePublished": "2026-04-08T08:30:45.404Z", "dateUpdated": "2026-04-08T08:30:45.404Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "fsm-custom-featured-image-caption", "product": "FSM Custom Featured Image Caption", "vendor": "fesomia", "versions": [{"lessThanOrEqual": "1.25.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:43.963Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.<p>This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:45.404Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/fsm-custom-featured-image-caption/vulnerability/wordpress-fsm-custom-featured-image-caption-plugin-1-25-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress FSM Custom Featured Image Caption plugin <= 1.25.1 - Cross Site Scripting (XSS) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1."}], "id": "CVE-2026-39693", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:41.647", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/fsm-custom-featured-image-caption/vulnerability/wordpress-fsm-custom-featured-image-caption-plugin-1-25-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.25.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "FSM Custom Featured Image Caption", "source": "cna", "vendor": "fesomia"}, "product": "fsm_custom_featured_image_caption", "vendor": "fesomia"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:44:36.705649+00:00", "value": {"mitigation_remediation": ["Check the plugin vendor site or repository for a newer release than 1.25.1 and update the plugin if available.", "If an update is not available, temporarily disable or uninstall the FSM Custom Featured Image Caption plugin to eliminate the vulnerability.", "Monitor site logs for suspicious script executions and consider adding a content security policy that restricts inline scripts."], "summary": {"action": "Patch ASAP", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have the fesomia FSM Custom Featured Image Caption plugin installed with a version equal to or earlier than 1.25.1 are affected. No specific patch version is listed in the CVE, so sites should verify whether a later release exists or consult the vendor for an update.", "description_and_impact": "The FSM Custom Featured Image Caption plugin allows a DOM\u2011based cross\u2011site scripting flaw due to unsanitized caption input. When a user loads a page containing the caption field, malicious JavaScript can execute in the visitor\u2019s browser, enabling session theft, defacement, or further compromise. The flaw is categorized as CWE\u201179.", "risk_and_exploitability": "This is a local\u2011to\u2011remote vulnerability that requires the attacker to trick a visitor into loading a crafted page; therefore, the exploitation vector is social engineering or a public link. The CVSS score is not provided, but a DOM\u2011based XSS in a popular plugin poses a moderate to high risk because it can hijack user sessions and alter site content. The lack of an EPSS score or KEV listing does not reduce the severity of potential damage."}}}}, "created": "2026-04-08T19:27:42.149824+00:00", "updated": "2026-04-08T19:40:27.048749+00:00", "vendors": ["fesomia", "fesomia$PRODUCT$fsm_custom_featured_image_caption", "wordpress", "wordpress$PRODUCT$wordpress"]}