CVE-2026-2382
Description
Stored XSS in FPW Category Thumbnails plugin (<=1.9.5) allows authenticated users to inject scripts executed by administrators.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in FPW Category Thumbnails plugin (<=1.9.5) allows authenticated users to inject scripts executed by administrators.
Vulnerability
The FPW Category Thumbnails plugin for WordPress versions up to and including 1.9.5 is vulnerable to Stored Cross-Site Scripting (XSS). This vulnerability exists in the fpw_fs_get_file AJAX action due to insufficient sanitization and output escaping of the id parameter. The affected code can be found in ajax/getimageid.php [3].
Exploitation
An authenticated attacker with at least Subscriber-level access can exploit this vulnerability. The attacker needs to submit a crafted request to the fpw_fs_get_file AJAX action with a malicious payload in the id parameter. This payload will be stored and later rendered when an administrator accesses the plugin's settings page, triggering the script execution.
Impact
Successful exploitation allows an attacker to inject arbitrary web scripts into pages viewed by administrators. This can lead to various consequences, including session hijacking, credential theft, or unauthorized actions performed on behalf of the administrator, depending on the injected script. The compromise scope is limited to the administrator's privileges when they view the plugin's settings.
Mitigation
This vulnerability is fixed in FPW Category Thumbnails plugin version 1.9.6. Users are advised to update to the latest version. No workarounds are available for older versions. The plugin is still actively maintained and not end-of-life.
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.9.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly sanitize and escape the 'id' parameter in the 'fpw_fs_get_file' AJAX action, allowing for stored cross-site scripting."
Attack vector
An authenticated attacker with at least Subscriber-level access can exploit this vulnerability. The attacker crafts a malicious payload and injects it into the 'id' parameter of the 'fpw_fs_get_file' AJAX action. This payload will be stored and later executed when an administrator views the plugin's settings page, leading to arbitrary script execution in the administrator's browser [ref_id=1].
Affected code
The vulnerability lies within the 'fpw_fs_get_file' AJAX action, which is processed in the plugin's code. Specifically, the 'id' parameter is used without sufficient sanitization or output escaping, as seen in the provided code snippet from 'table.php' [ref_id=1].
What the fix does
The patch is not provided in the bundle. The advisory indicates that all versions up to and including 1.9.5 are affected. Users should update to a version that addresses this vulnerability. The advisory does not specify the exact remediation steps or the version containing the fix.
Preconditions
- authThe attacker must have at least Subscriber-level access to the WordPress site.
- inputThe attacker must be able to send a request to the 'fpw_fs_get_file' AJAX action with a crafted 'id' parameter.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- plugins.trac.wordpress.org/browser/fpw-category-thumbnails/tags/1.9.5/ajax/getimageid.phpnvd
- plugins.trac.wordpress.org/browser/fpw-category-thumbnails/tags/1.9.5/classes/fpw-category-thumbnails-class.phpnvd
- plugins.trac.wordpress.org/browser/fpw-category-thumbnails/tags/1.9.5/code/table.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/1fdbddd7-8713-48c8-98d6-0a155ca68325nvd
News mentions
0No linked articles in our index yet.