The FPW Category Thumbnails WordPress plugin contains a stored cross‑site scripting flaw triggered through the ‘id’ parameter of the ‘fpw_fs_get_file’ AJAX action. The insufficient input sanitization and output escaping allow an authenticated user with Subscriber‑level rights or higher to persist arbitrary JavaScript in the plugin’s database. When an administrator subsequently opens the plugin’s settings page, the injected script runs in the admin’s browser context, potentially stealing session credentials, defacing the interface, or enabling further privilege escalation. This vulnerability is classified as CWE‑79 and allows attackers to affect confidentiality, integrity, and availability of the site’s administrative functions.

Affected software: Frankpw – FPW Category Thumbnails plugin for WordPress. All documented plugin releases up to and including version 1.9.5 are vulnerable. There is no indication that higher‑numbered releases mitigate the issue, so any site still running 1.9.5 or older must be considered at risk.

The flaw has a CVSS base score of 6.4, indicating moderate severity. EPSS data is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet been widely exploited in the wild. The attack requires authenticated access with at least Subscriber privileges. An attacker can create or modify an ‘id’ value containing malicious JavaScript; this payload is stored on the server and will execute whenever an administrator loads the plugin’s settings page. Therefore, while the potential impact is significant, the exploitation chain is somewhat constrained to sites where such privileged users exist.