{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0693", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-07T20:58:33.120Z", "datePublished": "2026-02-14T06:42:32.915Z", "dateUpdated": "2026-04-08T17:17:23.778Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:23.778Z"}, "affected": [{"vendor": "arnoesterhuizen", "product": "Allow HTML in Category Descriptions", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the `wp_kses_data` output filter for term_description, link_description, link_notes, and user_description fields without checking user capabilities. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in category descriptions that will execute whenever a user accesses a page where the category description is displayed. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Allow HTML in Category Descriptions <= 1.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Category Descriptions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b63c9a5a-fa3e-46c7-9d9c-7c209fc5713a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/allow-html-in-category-descriptions/trunk/html-in-category-descriptions.php#L23"}, {"url": "https://plugins.trac.wordpress.org/browser/allow-html-in-category-descriptions/tags/1.2.4/html-in-category-descriptions.php#L23"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "timeline": [{"time": "2026-02-13T18:18:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:36:35.505807Z", "id": "CVE-2026-0693", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:46:05.532Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0693", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T15:36:35.505807Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:36:36.176Z"}}], "cna": {"title": "Allow HTML in Category Descriptions <= 1.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Category Descriptions", "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "arnoesterhuizen", "product": "Allow HTML in Category Descriptions", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T18:18:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b63c9a5a-fa3e-46c7-9d9c-7c209fc5713a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/allow-html-in-category-descriptions/trunk/html-in-category-descriptions.php#L23"}, {"url": "https://plugins.trac.wordpress.org/browser/allow-html-in-category-descriptions/tags/1.2.4/html-in-category-descriptions.php#L23"}], "descriptions": [{"lang": "en", "value": "The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the `wp_kses_data` output filter for term_description, link_description, link_notes, and user_description fields without checking user capabilities. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in category descriptions that will execute whenever a user accesses a page where the category description is displayed. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:23.778Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0693", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:23.778Z", "dateReserved": "2026-01-07T20:58:33.120Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T06:42:32.915Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the `wp_kses_data` output filter for term_description, link_description, link_notes, and user_description fields without checking user capabilities. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in category descriptions that will execute whenever a user accesses a page where the category description is displayed. This only affects multi-site installations and installations where unfiltered_html has been disabled."}, {"lang": "es", "value": "El plugin Allow HTML en Category Descriptions para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de las descripciones de categor\u00eda en todas las versiones hasta la 1.2.4, inclusive. Esto se debe a que el plugin elimina incondicionalmente el filtro de salida `wp_kses_data` para los campos term_description, link_description, link_notes y user_description sin verificar las capacidades del usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de administrador y superior, inyecten scripts web arbitrarios en las descripciones de categor\u00eda que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina donde se muestre la descripci\u00f3n de la categor\u00eda. Esto solo afecta a instalaciones multisitio y a instalaciones donde se ha deshabilitado unfiltered_html."}], "id": "CVE-2026-0693", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T07:16:08.417", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/allow-html-in-category-descriptions/tags/1.2.4/html-in-category-descriptions.php#L23"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/allow-html-in-category-descriptions/trunk/html-in-category-descriptions.php#L23"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b63c9a5a-fa3e-46c7-9d9c-7c209fc5713a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.4]"}}], "product": "allow_html_in_category_descriptions", "vendor": "arnoesterhuizen"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:27:31.771989+00:00", "value": {"mitigation_remediation": ["Update the Allow HTML in Category Descriptions plugin to the latest version available for all sites in the network.", "Restrict editing of category descriptions to the administrator role only and ensure that the unfiltered_html capability for non\u2011administrators remains disabled.", "If an immediate update is not feasible, delete any HTML tags from existing category descriptions using the WordPress editor or a cleanup script so that injected scripts cannot execute."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting that can allow authenticated administrators to inject arbitrary scripts"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the Allow HTML in Category Descriptions plugin up to and including version 1.2.4, as used on WordPress multi\u2011site installations or any site where unfiltered_html is disabled. The plugin is produced by arnoesterhuizen. Only administrators or higher roles can exploit the flaw; non\u2011administrator users cannot inject code directly. The impact is confined to category descriptions, which are displayed on pages where a category is shown.", "description_and_impact": "The Allow HTML in Category Descriptions plugin is vulnerable to stored cross\u2011site scripting. By removing the wp_kses_data filter for term_description, link_description, link_notes, and user_description fields without validating user capabilities, an attacker with administrator\u2011level or higher privileges can embed malicious scripts into category descriptions. Those scripts execute whenever the category description is displayed to any visitor, potentially enabling data theft, defacement, or malware delivery. This flaw corresponds to CWE\u201179.", "risk_and_exploitability": "The CVSS base score of 4.4 indicates moderate severity, while an EPSS score of less than 1% reflects a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalogue, implying no known large\u2011scale exploitation as of now. The attack vector requires authenticated admin access on a site that renders category descriptions; once code is injected, it runs for all visitors, amplifying the potential impact. Consequently, organizations using this plugin should treat the flaw as a significant risk that warrants timely remediation."}}}}, "created": "2026-02-16T12:02:08.833209+00:00", "updated": "2026-04-15T18:30:10.952871+00:00", "vendors": ["arnoesterhuizen", "arnoesterhuizen$PRODUCT$allow_html_in_category_descriptions", "wordpress", "wordpress$PRODUCT$wordpress"]}