cleantalk
Vulnerabilities and Security Researches

Category Image, CVE-2026-0815

CVE, Research URL

CVE-2026-0815

Home page URL

Security reports for Category Image

Application

Category Image

Published on
Feb 11, 2026
Research Description
The Category Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag-image' parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.0.
Status
vulnerable
Previous vulnerability researches
Category Image (CVE-2026-0815) , Apr 15, 2026
Post Category Image With Grid and Slider (CVE-2022-4747) , Jun 06, 2024
Post Category Image With Grid and Slider (3492d1f1466a95f4b4876b13cbf07bc5627ceeab) , Jun 06, 2024
New vulnerability
Robin image optimizer — save money on image compression (CVE-2026-1319) , Apr 15, 2026
Advanced Woo Labels – Product Labels for WooCommerce (CVE-2026-1929) , Apr 15, 2026
Newsletter – Send awesome emails from WordPress (CVE-2026-1051) , Apr 15, 2026
URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress (CVE-2026-1277) , Apr 15, 2026
FlatPM – Ad Manager, AdSense and Custom Code (CVE-2026-0690) , Apr 15, 2026