Stored Cross-Site Scripting in Categories Images Plugin for WordPress
CVE-2026-2505

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Categories Images
Vendor: CVE Published:; 18 April 2026

What is CVE-2026-2505?

The Categories Images plugin for WordPress contains a vulnerability that allows authenticated attackers with Contributor-level access and above to exploit Stored Cross-Site Scripting (XSS). This issue arises from the 'z_taxonomy_image' shortcode, which improperly passes user-controlled class input into an image builder without proper HTML attribute escaping. As a result, attackers can inject malicious scripts that execute on the user’s browser when they interact with the frontend page. Users are advised to update to the latest version of the plugin to mitigate this risk.

Affected Version(s)

Categories Images 0 <= 3.3.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3499275/cate...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2026
Vulnerability Reserved
Feb 13, 2026

Credit

Athiwat Tiprasaharn

Tharadol Suksamran

CVE-2026-2505 Data

JSON