The WP Carousel Free plugin for WordPress suffers from a stored XSS vulnerability due to the `fancybox-config.js` script reading the carousel container's `id` attribute directly from the DOM without sanitization. When a Contributor crafts a malformed carousel container ID containing characters invalid for jQuery selectors, the fancybox configuration fails and the library falls back to rendering the `data-caption` attribute as raw HTML. Since WordPress allows `data-*` attributes via `wp_kses_post()`, this enables authenticated attackers with Contributor or higher privileges to inject arbitrary JavaScript that executes when users click images in the carousel lightbox. This vulnerability affects all versions up to 2.7.10 of the plugin.

An attacker with Contributor-level access or higher can inject persistent malicious scripts into pages using the vulnerable carousel plugin. These scripts execute in the context of users who view and interact with the carousel lightbox images, potentially leading to session hijacking, privilege escalation, or other malicious actions limited by the attacker's privileges and the victim's browser context. The vulnerability does not allow unauthenticated exploitation and does not impact availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Contributor-level access to trusted users only and consider disabling or removing the WP Carousel Free plugin if possible. Monitor vendor channels for updates or patches addressing this vulnerability.