MEDIUM 6.4

CVE-2026-2382: FPW Category Thumbnails Stored XSS Vulnerability in WordPress

The FPW Category Thumbnails WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in versions up to 1.9.5. Any user with Subscriber-level access or higher can inject malicious JavaScript through the 'id' parameter in an AJAX function. This script persists in the plugin's settings and executes whenever an administrator views that page, potentially compromising administrator accounts. The vulnerability stems from the plugin failing to properly clean and escape user input before storing and displaying it.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

The FPW Category Thumbnails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'fpw_fs_get_file' AJAX action in all versions up to, and including, 1.9.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the plugin's settings page.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-2382 is a Stored XSS vulnerability (CWE-79) in the FPW Category Thumbnails plugin affecting all versions through 1.9.5. The 'fpw_fs_get_file' AJAX action accepts the 'id' parameter without sufficient input sanitization or output escaping. An authenticated user with Subscriber privileges or above can craft a malicious request containing JavaScript payload. The unsanitized input is stored and later rendered in the plugin's administrative settings interface without proper HTML entity encoding, allowing script execution in the administrator's browser session.

Business impact

This vulnerability poses a significant risk to WordPress sites relying on the FPW Category Thumbnails plugin. A compromised administrator account—the likely outcome of successful exploitation—could lead to site-wide defacement, installation of backdoors, theft of sensitive data, or complete loss of site control. Organizations running e-commerce, multi-user, or content-managed WordPress installations face elevated risk because Subscriber-level users are commonly created for content contributors or customers. The attack requires no user interaction beyond an administrator accessing the plugin settings, making it a reliable persistence mechanism.

Affected systems

FPW Category Thumbnails plugin versions 1.9.5 and earlier are affected. The vulnerability requires the plugin to be installed and activated on a WordPress site. It can be exploited by any authenticated user at Subscriber level or above, meaning sites with open user registration or those managing contributor and editor roles are at higher risk. WordPress multisite installations where Subscriber accounts can be created across subsites expand the attack surface.

Exploitability

The vulnerability is readily exploitable by low-privileged authenticated users. No special tools or complex techniques are required—a simple HTTP request to the vulnerable AJAX endpoint with a crafted payload is sufficient. The attack is reliable because it does not depend on user interaction (UI:N in the CVSS vector) and the injection point is straightforward. However, exploitation does require existing authentication credentials, preventing unauthenticated remote exploitation. The barrier to entry is low for insiders or users who have gained legitimate access to a target site.

Remediation

Update the FPW Category Thumbnails plugin to a patched version released after version 1.9.5. Verify the exact patched version against the official plugin repository or the plugin developer's advisory. As an interim mitigation, restrict Subscriber-level user creation to trusted individuals only, use security plugins to monitor AJAX endpoints, or disable the plugin if it is not actively used. WordPress administrators should ensure the site enforces strong authentication and maintains current security patches for WordPress core and all plugins.

Patch guidance

Visit the WordPress plugin repository or the FPW Category Thumbnails plugin's official page to download the latest version. Verify against the developer's security advisory to confirm the patched version number. Update the plugin through the WordPress admin dashboard (Plugins > Updates) or manually via SFTP/file manager. After updating, test the plugin's core functionality on a non-production environment if possible. Clear any caches (page cache, object cache, CDN) to ensure the new code is active.

Detection guidance

Monitor server logs and Web Application Firewall (WAF) logs for POST requests to the WordPress admin AJAX endpoint (wp-admin/admin-ajax.php) with action=fpw_fs_get_file containing unusual or script-like payloads in the 'id' parameter. Check plugin settings pages for suspicious JavaScript or unfamiliar content, particularly if administrators report unusual behavior. Database queries targeting the plugin's stored options or settings tables may reveal injected payloads. Security plugins with integrity monitoring or stored XSS detection should be configured to flag modifications to plugin settings.

Why prioritize this

This vulnerability warrants prompt but not emergency remediation. While the CVSS score of 6.4 (Medium) reflects the requirement for authentication and the limited scope of direct impact, the practical risk is elevated due to the vulnerability's role as an administrator account compromise vector. Sites with open user registration, active contributor communities, or high-value content face higher priority. The stored nature of the XSS and its persistence across sessions makes it a preferred persistence mechanism for attackers, justifying faster action than typical medium-severity issues.

Risk score, explained

The CVSS 3.1 score of 6.4 (Medium) reflects a network-accessible attack with low privileges required (PR:L), no user interaction needed (UI:N), but confined to the plugin's administrative context (S:C with limited C:L and I:L impact). The absence of availability impact (A:N) and the authentication barrier prevent a higher score. However, the actual organizational risk may be higher because successful exploitation directly compromises administrative access, a critical asset. Security leaders should treat this as a higher-priority update than the numeric score alone suggests when administrator account security is a key control.

Frequently asked questions

Can unauthenticated users exploit this vulnerability?

No. The vulnerability requires valid WordPress user credentials at Subscriber level or higher. Unauthenticated attackers cannot exploit it without first obtaining or creating a user account on the target WordPress site.

What happens if an administrator accesses the plugin settings after a payload is injected?

The injected JavaScript executes in the administrator's browser with their session cookies and privileges active. This can allow the attacker to steal session tokens, modify site content, create new admin accounts, install backdoors, or perform other malicious actions with full site access.

Is there a workaround if we cannot update immediately?

Restrict Subscriber user creation, deactivate the plugin if not in use, or use WordPress user role management to limit who can interact with the plugin. Additionally, implement IP-based access controls to the WordPress admin dashboard and use strong authentication (two-factor authentication) for administrator accounts.

How do we know if our site has been exploited?

Review admin user creation logs and session logs for anomalies. Inspect plugin option rows in the database for suspicious serialized data. Audit administrator account activity for unauthorized changes. Enable WordPress security plugins with integrity monitoring to detect unauthorized modifications to plugin settings.

This analysis is based on publicly available vulnerability data and vendor documentation. The information provided is for informational and educational purposes to support risk management and security decision-making. Organizations should verify patch availability, version specifics, and applicability to their environment directly with the plugin developer and the WordPress plugin repository. SEC.co makes no warranties regarding the completeness or accuracy of remediation guidance and recommends testing patches in non-production environments prior to deployment. This explainer does not constitute professional security advice; consult with qualified security professionals for guidance specific to your organization's risk profile and infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).