CVE-2026-2505

Name of the Vulnerable Software and Affected Versions Categories Images plugin for WordPress versions prior to 3.3.2

Description The plugin is subject to Stored Cross-Site Scripting via the 'z taxonomy image' shortcode. The issue occurs because the shortcode rendering path passes attacker-controlled class input into a fallback image builder that concatenates HTML attributes without proper escaping. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts that execute when users interact with the injected frontend page through the class shortcode attribute.

Recommendations Update the plugin to a version newer than 3.3.1. As a temporary workaround, restrict the use of the class attribute within the 'z taxonomy image' shortcode.