WordPress Plugin Vulnerabilities

Allow HTML in Category Descriptions <= 1.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Category Descriptions

Description

The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the `wp_kses_data` output filter for term_description, link_description, link_notes, and user_description fields without checking user capabilities. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in category descriptions that will execute whenever a user accesses a page where the category description is displayed. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
allow-html-in-category-descriptions
No known fix

References

CVE
CVE-2026-0693
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b63c9a5a-fa3e-46c7-9d9c-7c209fc5713a

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
ZAST.AI
Verified
No
WPVDB ID
91ed2c38-2b9f-45d6-98af-fb021396330f

Timeline

Publicly Published
2026-02-13 (about 3 months ago)
Added
2026-02-13 (about 3 months ago)
Last Updated
2026-04-15 (about 1 month ago)

Other

Published
Title
Published
2022-12-16
Title
iPages Flipbook For WordPress < 1.4.7 - Contributor+ Stored XSS
Published
2025-10-31
Title
Schema & Structured Data for WP & AMP < 1.52 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-11
Title
BP Email Assign Templates < 1.6 - Reflected XSS
Published
2024-11-28
Title
WP Mermaid <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-03-28
Title
Autolinks <= 1.0.1 - Stored Cross-Site Scripting via CSRF