CVE-2025-58655

The WordPress Category Featured Images plugin, version 1.1.8 and earlier, contains a Stored Cross-Site Scripting (XSS) vulnerability due to Improper Neutralization of Input During Web Page Generation. This flaw means user-supplied data is not properly sanitized before being stored and later displayed, allowing attackers to inject arbitrary web scripts or HTML.

Exploitation requires a privileged user (such as an administrator) to perform an action—like clicking a malicious link or submitting a crafted form [1]. No other authentication or network position is specified, but the attack can be initiated by roles with lower privileges. Once triggered, the malicious payload is stored within the plugin and executed when any visitor loads the affected page.

Successful exploitation could allow an attacker to inject scripts that perform redirects, display advertisements, or deliver other HTML payloads on the target site [1]. This type of vulnerability is commonly used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity. The CVSS v3 base score is 5.9 (Medium).

The immediate recommended action is to update the plugin to a patched version if available. For sites that cannot be updated, administrators should seek assistance from their hosting provider or a web developer [1].