CVE-2026-40734

The Categories Images plugin for WordPress (versions up to and including 3.3.1) contains a DOM-based Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, specifically within the plugin's handling of image category data. This flaw enables an attacker to inject arbitrary JavaScript or HTML into the page's DOM, which then executes in the context of the victim's browser [1].

Exploitation requires a privileged user (such as a contributor or higher) to perform an action like clicking a crafted link or visiting a specially prepared page. The attacker does not need direct access to the server; instead, they rely on social engineering to trick an authenticated user into triggering the payload. The vulnerability is classified as DOM-based, meaning the malicious script is executed client-side after the page loads, bypassing server-side filters [1].

Successful exploitation allows the attacker to execute arbitrary scripts in the browser of any visitor to the affected site. This can lead to session hijacking, defacement, redirection to malicious sites, or injection of advertisements and other HTML payloads. The CVSS v3 score of 6.5 (Medium) reflects the need for user interaction and the potential for significant impact on confidentiality and integrity [1].

The vendor has released version 3.3.2, which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack users can enable auto-updates for vulnerable plugins. While the advisory notes a low severity impact and low likelihood of exploitation, the vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites [1].