PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8867 fides-it CVE debrief

The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'postcategorygallery' shortcode in versions up to and including 1.0.0. The vulnerability exists in the sc_horcatbar() function, where user-supplied shortcode attributes—including total_width, color_scheme, and caption_font_size—are concatenated directly into HTML attribute values without sufficient input sanitization or output escaping. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which execute when users access the injected content. The vulnerability was published on May 27, 2026, with a CVSS 3.1 score of 6.4 (Medium severity). The weakness is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). No known exploitation in the wild or ransomware campaign use has been documented.

Vendor
fides-it
Product
Post Categories Gallery
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using the Post Category Gallery plugin; security teams managing WordPress installations with multiple contributor-level users; developers maintaining WordPress plugins with shortcode functionality

Technical summary

The sc_horcatbar() function in horcatbar.php fails to sanitize or escape user-supplied shortcode attributes before concatenating them into HTML output. Affected attributes include total_width, color_scheme, and caption_font_size. The vulnerability requires authenticated access at contributor level or above to exploit. The stored payload executes in the browser context of any user viewing the compromised page.

Defensive priority

medium

Recommended defensive actions

  • Update Post Category Gallery plugin to a version newer than 1.0.0 if available, or remove the plugin if no patch exists
  • Review existing posts and pages for unauthorized use of the postcategorygallery shortcode, particularly checking the total_width, color_scheme, and caption_font_size attributes for suspicious values
  • Implement Content Security Policy (CSP) headers to mitigate impact of XSS payloads
  • Restrict contributor and author role permissions where possible, or implement additional content review workflows
  • Consider using WordPress security plugins that provide shortcode attribute sanitization as a defense-in-depth measure

Evidence notes

Vulnerability confirmed via WordPress plugin source code analysis (horcatbar.php lines 79 and 97) and Wordfence threat intelligence. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Official resources

2026-05-27T07:16:16.103Z