CVE-2026-2505

The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'ztaxonomyimage' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates...

CVE-2026-2505

The CVE-2026-2505 entry concerns the WordPress Categories Images plugin (versions

CVE-2026-2505 Categories Images <= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'z_taxonomy_image' Shortcode

The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'ztaxonomyimage' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates...

PT-2024-17231 · WordPress · Tcbd Popover

Name of the Vulnerable Software and Affected Versions: TCBD Popover plugin for WordPress versions prior to 1.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'tcbd-popover-image' shortcode due to insufficient input sanitization and output escaping on user-suppli...

PT-2024-34719 · WordPress · Wpza Amp Img Shortcode

Name of the Vulnerable Software and Affected Versions: WPZA AMP Img Shortcode versions 1.0.0 through 1.0.1 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting XSS, which allows Stored XSS. This means that an attacker...

WordPress Webico Slider Flatsome Addons plugin <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wbc_image Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wbcimage Shortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin Webico Slider Flatsome Addons versions = 2.0.1...

PT-2024-37218 · WordPress · Webico Slider Flatsome Addons

Name of the Vulnerable Software and Affected Versions: Webico Slider Flatsome Addons plugin for WordPress versions up to, and including, 2.0.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's wbc image shortcode due to insufficient input sanitization and output...

PT-2023-32229 · WordPress · Booster For Woocommerce

Name of the Vulnerable Software and Affected Versions: The Booster for WooCommerce plugin for WordPress versions up to, and including, 7.1.2 Description: The issue is related to Stored Cross-Site Scripting via the wcj image shortcode due to insufficient input sanitization and output escaping on...

CVE-2022-29858

Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content...