List category posts

See CHANGELOG.md for full Changelog.

0.94.0

• Addresses CVE-2026-0553.
• Addresses potential debug warning: Undefined array key QUERY_STRING. Report: https://wordpress.org/support/topic/php-8-4-issue-2/
• Escapes html for thumbnail class.

0.93.1

• Fixes a bug with post_status introduced in sanitize_status. Thanks Galen Charlton (@gmcharlt) for the catch and fix!

0.93.0

• Don’t skip password protected filter when showing content.
• Sanitize post_status so some posts are only shown if user is Editor or Administrator.
• Addresses reported vulnerability: CVE-2025-11377, Authenticated (Contributor+) Information Exposure. Severity Score: 4.3 (Medium). CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. Organization: Wordfence. Vulnerability Researcher(s): Athiwat Tiprasaharn (Jitlada)

This is a low risk vulnerability that could potentially be executed by an authenticated attacker, with contributor-level access and above. But it should be fixed with this version.

0.92.0

• Avoids potential SQL injection in starting_with parameter – CVE-2025-10163. This solves SQL injection and results in starting_with working as per the Wiki, but the previous code also allowed things like [catlist starting_with=”Hello”] which would return posts starting with “Hello” but not just with “H”. This new implementation would return both, because only the first character matters, which is ok because that’s what is documented.
• Improves template file inclusion security. Template files when using the template parameter can only have letters, numbers, _ and – in the name. They also can only be located in the current theme’s directory under a list-category-posts directory.

0.91.0

• Addresses CVE-2025-47636, avoids Local File Inclusion for template system. The code will remove any occurrences of the string ‘../’ in the template parameter. Templates files must be php files located in a directory named list-category-posts under wp-content/themes/your-theme-folder.
  https://www.cve.org/CVERecord?id=CVE-2025-47636

0.90.3

• Hardens xss fix for script tag by checking case insensitive and using tag_escape.

0.90.2

• Updates fix for stored cross-site scripting from 0.90.0, now applied to all tags. From this version onwards, script is not available to use as a tag when setting an element’s tag in the shortcode.

0.90.1

• Fix PHP 8.2 deprecation notices
• Remove empty anchor tags from widget morelink

0.90.0

• Fixes a Stored Cross-Site Scripting issue using excerpt_tag=’script’.