ByteOS Network

Categories Images

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-2505

Assigner-Wordfence

View Details

Assigner-Wordfence

CVSS Score-5.4||MEDIUM

EPSS-0.03% / 8.07%

7 Day CHG~0.00%

Published-18 Apr, 2026 | 09:26

Updated-18 Apr, 2026 | 10:16

Categories Images <= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'z_taxonomy_image' Shortcode

The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates HTML attributes without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute when users interact with the injected frontend page via the 'class' shortcode attribute.

Vendor-elzahlan

Product-Categories Images

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2026-40734

Assigner-Patchstack

View Details

Assigner-Patchstack

CVSS Score-6.5||MEDIUM

EPSS-0.03% / 9.48%

7 Day CHG~0.00%

Published-15 Apr, 2026 | 10:21

Updated-16 Apr, 2026 | 15:17

WordPress Categories Images plugin <= 3.3.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Images: from n/a through <= 3.3.1.

Vendor-Zahlan

Product-Categories Images

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')