Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mat Category Featured Images category-featured-images allows Stored XSS.This issue affects Category Featured Images: from n/a through <= 1.1.8.
Published: 2025-09-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Category Featured Images plugin contains a stored cross‑site scripting flaw that allows attackers to inject malicious scripts into the site’s data store. Improper neutralization of user input when generating web pages leads to arbitrary JavaScript execution in browsers of visitors who load affected pages. The identified weakness is CWE‑79.

Affected Systems

All WordPress sites that use the Mat Category Featured Images plugin version 1.1.8 or earlier are affected. Any installation of the plugin prior to an update that removes this flaw is at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity; the EPSS score is under 1%, suggesting exploit attempts are infrequent, and the vulnerability is not listed in CISA's KEV catalogue. The flaw is a stored XSS vulnerability: to exploit it, an attacker must first insert malicious code via the plugin’s content creation or editing interface (the likely attack vector, inferred from the description). Once injected, any visitor who loads the affected page will execute the script in the browser context.

Generated by OpenCVE AI on April 30, 2026 at 06:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Category Featured Images plugin to a version newer than 1.1.8.
  • If an update is not immediately available, disable or uninstall the plugin until a fix is released.
  • Implement input validation or sanitization for any content that passes through the plugin, and consider deploying a web application firewall to block malicious scripts.

Generated by OpenCVE AI on April 30, 2026 at 06:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30533 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mattia Roccoberton Category Featured Images allows Stored XSS. This issue affects Category Featured Images: from n/a through 1.1.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mattia Roccoberton Category Featured Images allows Stored XSS. This issue affects Category Featured Images: from n/a through 1.1.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mat Category Featured Images category-featured-images allows Stored XSS.This issue affects Category Featured Images: from n/a through <= 1.1.8.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mattia Roccoberton Category Featured Images allows Stored XSS. This issue affects Category Featured Images: from n/a through 1.1.8.
Title WordPress Category Featured Images Plugin <= 1.1.8 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:22:22.579Z

Reserved: 2025-09-03T09:03:29.730Z

Link: CVE-2025-58655

cve-icon Vulnrichment

Updated: 2025-09-23T16:01:17.213Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:15.730

Modified: 2026-04-23T15:33:32.200

Link: CVE-2025-58655

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')