Improper neutralization of input during web page generation in the WordPress Category Featured Images Extended plugin allows an attacker to inject malicious scripts that are stored in the database and later executed whenever the affected page is viewed. The vulnerability is a classic stored cross‑site scripting flaw, which can lead to session hijacking, defacement, or the execution of arbitrary client‑side code for any visitor of the site.

The affected product is the WordPress plugin Category Featured Images Extended by CK MacLeod, versions from unidentified initial release through 1.52. Any WordPress installation that has this plugin installed at or below version 1.52 is potentially vulnerable.

The CVSS base score of 5.9 indicates a moderate severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to supply crafted content that is accepted as a category image or description and stored by the plugin; the exact attack vector is not explicitly detailed in the description, but stored XSS typically necessitates some level of authenticated user input. If executed, the stored script could compromise the browsing session of any site visitor.