Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M A Vinoth Kumar Category Widget category-widget allows Reflected XSS.This issue affects Category Widget: from n/a through <= 2.0.2.
Published: 2025-05-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Category Widget plugin for WordPress contains a reflected Cross‑Site Scripting flaw that arises from improper neutralization of user input when the widget renders on a page. This vulnerability, classified as CWE‑79, allows an attacker to supply malicious content that is echoed back to the browser, potentially executing arbitrary JavaScript within the victim’s session context. While the impact is limited to the widget’s output page, any user who loads a crafted URL can be compromised, exposing session data, enabling defacement, or allowing data theft.

Affected Systems

All installations of the Category Widget plugin from its original release through version 2.0.2, distributed by M A Vinoth Kumar, remain vulnerable. No specific post‑2.0.2 releases are mentioned in the CVE, so any site running 2.0.2 or an earlier version should be treated as at risk.

Risk and Exploitability

The CVSS score of 7.1 marks this flaw as high severity, while the EPSS score of less than 1% suggests exploitation attempts are uncommon but still possible. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be user‑initiated via a crafted URL that injects malicious payloads into the widget output. Although active exploitation is unlikely given the low EPSS, the potential for significant user compromise remains.

Generated by OpenCVE AI on May 1, 2026 at 08:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Category Widget plugin to a version that removes the reflected XSS flaw, if such an update exists.
  • If an upgrade is not immediately possible, implement a filter to escape or sanitize all widget output, for example by applying esc_html or esc_url to the generated content.
  • If the widget’s functionality is not essential, delete or disable the plugin to eliminate the attack surface.

Generated by OpenCVE AI on May 1, 2026 at 08:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28057 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M A Vinoth Kumar Category Widget allows Reflected XSS. This issue affects Category Widget: from n/a through 2.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M A Vinoth Kumar Category Widget allows Reflected XSS. This issue affects Category Widget: from n/a through 2.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M A Vinoth Kumar Category Widget category-widget allows Reflected XSS.This issue affects Category Widget: from n/a through <= 2.0.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 23 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M A Vinoth Kumar Category Widget allows Reflected XSS. This issue affects Category Widget: from n/a through 2.0.2.
Title WordPress Category Widget plugin <= 2.0.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:39.785Z

Reserved: 2025-04-24T14:23:19.972Z

Link: CVE-2025-46515

cve-icon Vulnrichment

Updated: 2025-05-23T14:54:34.439Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:36.573

Modified: 2026-04-23T15:30:09.230

Link: CVE-2025-46515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses