WordPress Plugin Vulnerabilities

Category Icon <= 1.0.3 - Author+ XML External Entity Injection

Description

The plugin is vulnerable to XML External Entity Injection (XXE). This may make it possible for allow authenticated attackers, with author-level access and above, to extract sensitive data or achieve code execution in vulnerable configurations.

Affects Plugins

Plugin icon
category-icon
No known fix

References

CVE
CVE-2025-31039
URL
https://patchstack.com/database/wordpress/plugin/category-icon/vulnerability/wordpress-category-icon-plugin-1-0-2-xml-external-entity-xxe-vulnerability

Classification

Type
XXE
OWASP top 10
A4: XML External Entities (XXE)
CWE
CWE-611
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Drew Webber (mcdruid)
Verified
No
WPVDB ID
e3063db7-af7e-4a8c-b30d-9df55e73e71b

Timeline

Publicly Published
2025-06-03 (about 1 year ago)
Added
2025-06-12 (about 1 year ago)
Last Updated
2025-12-15 (about 6 months ago)

Other

Published
Title
Published
2017-11-14
Title
TablePress <= 1.8 - Authenticated XML External Entity (XXE)
Published
2014-08-01
Title
Advanced XML Reader 0.1.1 - XML External Entity (XXE) Data Parsing Arbitrary File Disclosure
Published
2015-06-10
Title
WooCommerce 2.0.20-2.3.10 - Object Injection / XXE
Published
2026-01-16
Title
Demo Importer Plus < 2.0.10 - Authenticated (Author+) Blind XML External Entity Injection via SVG File Upload
Published
2014-09-16
Title
WordPress 3.6 - 3.9.1 XXE in GetID3 Library