← Back
2026-04-09 12:28CVE-2026-3005Wordfence
PUBLISHED5.2CWE-79

List category posts <= 0.94.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'catlist' Shortcode

The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.94.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Problem type

Affected products

fernandobt

List category posts

<= 0.94.0 - AFFECTED

References

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/1a93ff8a-364f-4ec4-9c32-208c7a3e1fc1?source=cve

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/list-category-posts/trunk/include/lcp-thumbnail.php#L95

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/changeset/3482733/

GitHub Security Advisories

GHSA-qp6x-q6f7-3wq4

The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the...

https://github.com/advisories/GHSA-qp6x-q6f7-3wq4

The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.94.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-3005

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/list-category-posts/trunk/include/lcp-thumbnail.php#L95

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/changeset/3482733

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/1a93ff8a-364f-4ec4-9c32-208c7a3e1fc1?source=cve

github.com

https://github.com/advisories/GHSA-qp6x-q6f7-3wq4

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-3005
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-3005",
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "dateUpdated": "2026-04-09T12:28:05.799Z",
    "dateReserved": "2026-02-23T04:55:44.358Z",
    "datePublished": "2026-04-09T12:28:05.799Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence",
        "dateUpdated": "2026-04-09T12:28:05.799Z"
      },
      "title": "List category posts <= 0.94.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'catlist' Shortcode",
      "descriptions": [
        {
          "lang": "en",
          "value": "The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.94.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
        }
      ],
      "affected": [
        {
          "vendor": "fernandobt",
          "product": "List category posts",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "0.94.0"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a93ff8a-364f-4ec4-9c32-208c7a3e1fc1?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/list-category-posts/trunk/include/lcp-thumbnail.php#L95"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3482733/"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-04-08T00:00:00.000Z",
          "lang": "en",
          "value": "Disclosed"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Athiwat Tiprasaharn",
          "type": "finder"
        },
        {
          "lang": "en",
          "value": "Itthidej Aramsri",
          "type": "finder"
        }
      ]
    }
  }
}