Description
The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the `wp_kses_data` output filter for term_description, link_description, link_notes, and user_description fields without checking user capabilities. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in category descriptions that will execute whenever a user accesses a page where the category description is displayed. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-02-14
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that can allow authenticated administrators to inject arbitrary scripts
Action: Update Plugin
AI Analysis

Impact

The Allow HTML in Category Descriptions plugin is vulnerable to stored cross‑site scripting. By removing the wp_kses_data filter for term_description, link_description, link_notes, and user_description fields without validating user capabilities, an attacker with administrator‑level or higher privileges can embed malicious scripts into category descriptions. Those scripts execute whenever the category description is displayed to any visitor, potentially enabling data theft, defacement, or malware delivery. This flaw corresponds to CWE‑79.

Affected Systems

The vulnerability affects all releases of the Allow HTML in Category Descriptions plugin up to and including version 1.2.4, as used on WordPress multi‑site installations or any site where unfiltered_html is disabled. The plugin is produced by arnoesterhuizen. Only administrators or higher roles can exploit the flaw; non‑administrator users cannot inject code directly. The impact is confined to category descriptions, which are displayed on pages where a category is shown.

Risk and Exploitability

The CVSS base score of 4.4 indicates moderate severity, while an EPSS score of less than 1% reflects a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalogue, implying no known large‑scale exploitation as of now. The attack vector requires authenticated admin access on a site that renders category descriptions; once code is injected, it runs for all visitors, amplifying the potential impact. Consequently, organizations using this plugin should treat the flaw as a significant risk that warrants timely remediation.

Generated by OpenCVE AI on April 15, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Allow HTML in Category Descriptions plugin to the latest version available for all sites in the network.
  • Restrict editing of category descriptions to the administrator role only and ensure that the unfiltered_html capability for non‑administrators remains disabled.
  • If an immediate update is not feasible, delete any HTML tags from existing category descriptions using the WordPress editor or a cleanup script so that injected scripts cannot execute.

Generated by OpenCVE AI on April 15, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Arnoesterhuizen
Arnoesterhuizen allow Html In Category Descriptions
Wordpress
Wordpress wordpress
Vendors & Products Arnoesterhuizen
Arnoesterhuizen allow Html In Category Descriptions
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the `wp_kses_data` output filter for term_description, link_description, link_notes, and user_description fields without checking user capabilities. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in category descriptions that will execute whenever a user accesses a page where the category description is displayed. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Allow HTML in Category Descriptions <= 1.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Category Descriptions
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Arnoesterhuizen Allow Html In Category Descriptions
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:23.778Z

Reserved: 2026-01-07T20:58:33.120Z

Link: CVE-2026-0693

cve-icon Vulnrichment

Updated: 2026-02-17T15:36:36.176Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T07:16:08.417

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:30:10Z

Weaknesses