CVE-2026-0815 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Category Image plugin for WordPress, developed by pankajanupam. The flaw exists in all versions up to and including 2.0, caused by insufficient sanitization and escaping of the 'tag-image' parameter during web page generation. This vulnerability allows authenticated attackers with Editor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users visit these pages, the injected scripts execute in their browsers, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or defacement. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. Exploitation requires authenticated access with elevated privileges, no user interaction is needed once the malicious script is injected, and the attack scope is limited to sites using this specific plugin. The CVSS v3.1 base score is 4.4, reflecting a medium severity due to the attack vector being network-based but requiring high privileges and having limited impact on availability. No patches or known exploits have been reported at the time of publication.

The primary impact of this vulnerability is the potential compromise of user sessions and data confidentiality on WordPress sites using the vulnerable Category Image plugin. Attackers with Editor or higher privileges can inject malicious scripts that execute in the context of other users, including administrators, potentially leading to credential theft, unauthorized actions, or site defacement. This can undermine the integrity and trustworthiness of affected websites, damage brand reputation, and expose sensitive information. Although the vulnerability does not directly affect availability, successful exploitation could facilitate further attacks that degrade service. The requirement for elevated privileges limits the attack surface to insiders or compromised accounts, but organizations with multiple editors or collaborative environments remain at risk. Given WordPress's widespread use globally, sites relying on this plugin are vulnerable until remediated.

To mitigate CVE-2026-0815, organizations should first check for updates or patches from the plugin developer and apply them promptly once available. In the absence of official patches, administrators should restrict Editor-level and higher privileges to trusted users only and audit existing user roles for unnecessary elevated access. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'tag-image' parameter can provide interim protection. Additionally, site administrators should sanitize and validate all inputs rigorously, and consider disabling or replacing the vulnerable plugin with alternatives that follow secure coding practices. Regular security audits and monitoring for unusual script injections or user behavior can help detect exploitation attempts early. Educating content editors about the risks of injecting untrusted content is also recommended.