CVE-2026-8867

Vulnerability

The Post Category Gallery plugin for WordPress versions up to and including 1.0.0 is vulnerable to stored cross-site scripting (XSS) via the 'postcategorygallery' shortcode. The vulnerability exists in the sc_horcatbar() function (located in horcatbar.php) [1][2]. User-supplied shortcode attributes such as total_width, color_scheme, and caption_font_size are not properly sanitized or escaped before being concatenated into HTML attribute values. This allows authenticated attackers with at least contributor-level access to inject arbitrary scripts.

Exploitation

An attacker must have contributor-level or higher permissions on a WordPress site using a vulnerable version of the plugin. The attacker creates or edits a post or page and includes the [postcategorygallery] shortcode with malicious payloads in one or more of the vulnerable attributes (e.g., total_width, color_scheme, caption_font_size). When the crafted shortcode is processed, the unsanitized attributes are directly injected into the HTML output, causing the injected script to execute when any user views the affected page.

Impact

Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can result in session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The vulnerability does not require any additional user interaction beyond viewing the injected page.

Mitigation

As of May 27, 2026, no fixed version has been released. The vendor has not provided a patch. Users should disable and remove the plugin until an update is available. The plugin is not listed on the CISA KEV as of the publication date. Reference [1] and [2] show the vulnerable code; a workaround may involve manually sanitizing the shortcode attributes via code modification, but this is not recommended for non-developers.