{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2505", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-13T22:28:22.061Z", "datePublished": "2026-04-18T09:26:52.654Z", "dateUpdated": "2026-04-20T13:46:07.918Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-18T09:26:52.654Z"}, "affected": [{"vendor": "elzahlan", "product": "Categories Images", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates HTML attributes without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute when users interact with the injected frontend page via the 'class' shortcode attribute."}], "title": "Categories Images <= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'z_taxonomy_image' Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/34fb64d5-e152-4950-9ef4-6d53a97a56fb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3499275/categories-images"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Tharadol Suksamran"}], "timeline": [{"time": "2026-04-17T21:16:01.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2505", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T13:38:31.941422Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:46:07.918Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2505", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T13:38:31.941422Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:44:52.187Z"}}], "cna": {"title": "Categories Images <= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'z_taxonomy_image' Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Tharadol Suksamran"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "elzahlan", "product": "Categories Images", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.3.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-17T21:16:01.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/34fb64d5-e152-4950-9ef4-6d53a97a56fb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3499275/categories-images"}], "descriptions": [{"lang": "en", "value": "The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates HTML attributes without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute when users interact with the injected frontend page via the 'class' shortcode attribute."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-18T09:26:52.654Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2505", "state": "PUBLISHED", "dateUpdated": "2026-04-20T13:46:07.918Z", "dateReserved": "2026-02-13T22:28:22.061Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-18T09:26:52.654Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates HTML attributes without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute when users interact with the injected frontend page via the 'class' shortcode attribute."}], "id": "CVE-2026-2505", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-18T10:16:12.823", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3499275/categories-images"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/34fb64d5-e152-4950-9ef4-6d53a97a56fb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Categories Images", "source": "cna", "vendor": "elzahlan"}, "product": "categories_images", "vendor": "elzahlan"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-18T20:03:10.965772+00:00", "value": {"mitigation_remediation": ["Upgrade the Categories Images plugin to the latest available version that addresses the XSS flaw; if a newer release exists, use it.", "If an upgrade is not immediately possible, deactivate the plugin or remove the shortcodes from all posts and pages to eliminate the attack surface.", "Restrict Contributor or other plugin\u2011related permissions so that only administrators can add or edit content including shortcodes, thereby preventing the injection of malicious attributes."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The issue affects the Categories Images plugin for WordPress, version 3.3.1 and earlier, released by elzahlan. Sites running these versions should verify they are using a release newer than 3.3.1 for a fix.", "description_and_impact": "The vulnerability allows an authenticated user with Contributor or higher privileges to inject arbitrary JavaScript into a page by abusing the 'class' attribute of the z_taxonomy_image shortcode; when any visitor later views that page, the injected script executes, potentially stealing session data, defacing content, or facilitating phishing attacks. This is a classic Injection flaw under CWE\u201179 and carries a CVSS base score of 5.4, reflecting moderate risk.", "risk_and_exploitability": "An attacker only needs Contributor\u2011level access, which is permissive on many WordPress sites, to place malicious code in the content database. The stored nature of the flaw means the script remains present until removed, exposing every site visitor to the risk. There are currently no documented exploits, and the EPSS score of < 1% indicates a very low probability of exploitation. The CVSS score of 5.4 reflects moderate severity, and the vulnerability is not listed in the CISA KEV catalog at this time."}}}}, "created": "2026-04-18T20:15:09.537800+00:00", "updated": "2026-04-20T14:58:44.240782+00:00", "vendors": ["elzahlan", "elzahlan$PRODUCT$categories_images", "wordpress", "wordpress$PRODUCT$wordpress"]}