Stored Cross-Site Scripting in List Category Posts Plugin for WordPress
CVE-2026-3005

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: List Category Posts
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-3005?

The List Category Posts plugin for WordPress is susceptible to Stored Cross-Site Scripting due to improper input sanitization and escaping of user-supplied data via the 'catlist' shortcode. Authenticated attackers with contributor-level access can exploit this flaw to inject arbitrary JavaScript into pages. When users visit an affected page, malicious scripts execute in their browsers, potentially leading to data theft or site compromise. It is crucial for users and administrators to apply security best practices to mitigate this risk.

Affected Version(s)

List category posts 0 <= 0.94.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/list-category-...

https://plugins.trac.wordpress.org/changeset/3482733/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Feb 23, 2026

Credit

Athiwat Tiprasaharn

Itthidej Aramsri

CVE-2026-3005 Data

JSON