List category posts <= 0.94.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'catlist' Shortcode

Description

A vulnerability has been found in fernandobt List Category Posts Plugin up to 0.94.0 on WordPress and classified as problematic. Affected by this issue is the function catlist of the component Shortcode Handler. The manipulation leads to cross site scripting. This vulnerability is referenced as CVE-2026-3005. Remote exploitation of the attack is possible.

Affected Products

Vendor	Product	Versions
fernandobt	list category posts	0

References

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-3005 | fernandobt List Category Posts Plugin up to 0.94.0 on WordPress Shortcode catlist cross site scripting

→ No new info (linked only)

CVSS 3.16.4 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-79

PublishedApr 9, 2026

Last enriched2h agov2

Trending Score43

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 2h ago

v2Tier C2h ago

Updated description with more technical detail and marked the vulnerability as actively exploited.

descriptionactivelyExploited

via VulDB

v13h ago

Initial creation