Description
The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates HTML attributes without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute when users interact with the injected frontend page via the 'class' shortcode attribute.
Published: 2026-04-18
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an authenticated user with Contributor or higher privileges to inject arbitrary JavaScript into a page by abusing the 'class' attribute of the z_taxonomy_image shortcode; when any visitor later views that page, the injected script executes, potentially stealing session data, defacing content, or facilitating phishing attacks. This is a classic Injection flaw under CWE‑79 and carries a CVSS base score of 5.4, reflecting moderate risk.

Affected Systems

The issue affects the Categories Images plugin for WordPress, version 3.3.1 and earlier, released by elzahlan. Sites running these versions should verify they are using a release newer than 3.3.1 for a fix.

Risk and Exploitability

An attacker only needs Contributor‑level access, which is permissive on many WordPress sites, to place malicious code in the content database. The stored nature of the flaw means the script remains present until removed, exposing every site visitor to the risk. There are currently no documented exploits, and the EPSS score of < 1% indicates a very low probability of exploitation. The CVSS score of 5.4 reflects moderate severity, and the vulnerability is not listed in the CISA KEV catalog at this time.

Generated by OpenCVE AI on April 18, 2026 at 20:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Categories Images plugin to the latest available version that addresses the XSS flaw; if a newer release exists, use it.
  • If an upgrade is not immediately possible, deactivate the plugin or remove the shortcodes from all posts and pages to eliminate the attack surface.
  • Restrict Contributor or other plugin‑related permissions so that only administrators can add or edit content including shortcodes, thereby preventing the injection of malicious attributes.

Generated by OpenCVE AI on April 18, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates HTML attributes without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute when users interact with the injected frontend page via the 'class' shortcode attribute.
Title Categories Images <= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'z_taxonomy_image' Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-18T09:26:52.654Z

Reserved: 2026-02-13T22:28:22.061Z

Link: CVE-2026-2505

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T10:16:12.823

Modified: 2026-04-18T10:16:12.823

Link: CVE-2026-2505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses