cleantalk
Vulnerabilities and Security Researches

Categories Images, CVE-2026-2505

CVE, Research URL

CVE-2026-2505

Home page URL

Security reports for Categories Images

Application

Categories Images

Published on
Apr 18, 2026
Research Description
The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates HTML attributes without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute when users interact with the injected frontend page via the 'class' shortcode attribute.
Affected versions
max 3.3.2.
Status
vulnerable
Previous vulnerability researches
Simple User Registration (CVE-2025-4334) , Jun 27, 2025
Simple User Registration (CVE-2025-12160) , Dec 11, 2025
Simple User Registration (CVE-2026-0844) , Apr 20, 2026
Simple User Registration (CVE-2024-53810) , Dec 08, 2024
Simple User Registration (CVE-2025-53428) , Nov 11, 2025
New vulnerability
Page Builder Gutenberg Blocks – CoBlocks (CVE-2026-4801) , Apr 20, 2026
Categories Images (CVE-2026-2505) , Apr 20, 2026
Contextual Related Posts (CVE-2026-2986) , Apr 20, 2026
CubeWP – All-in-One Dynamic Content Framework (CVE-2025-8615) , Apr 20, 2026
Hostel (CVE-2026-1838) , Apr 20, 2026