CVE-2026-0693
Unknown Unknown - Not Provided
Stored XSS in WordPress Allow HTML Plugin Category Descriptions

Publication date: 2026-02-14

Last updated on: 2026-02-14

Assigner: Wordfence

Description
The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the `wp_kses_data` output filter for term_description, link_description, link_notes, and user_description fields without checking user capabilities. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in category descriptions that will execute whenever a user accesses a page where the category description is displayed. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-02-14
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0693
EUVD
EUVD-2026-6052
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence allow_html_in_category_descriptions to 1.2.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Allow HTML in Category Descriptions plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.2.4.

This vulnerability arises because the plugin removes the `wp_kses_data` output filter for certain fields (term_description, link_description, link_notes, and user_description) without verifying user permissions.

As a result, authenticated users with administrator-level access or higher can inject malicious scripts into category descriptions.

These scripts execute whenever any user views a page displaying the affected category description.

This issue only affects multi-site WordPress installations or installations where the unfiltered_html capability has been disabled.

Impact Analysis

This vulnerability can allow attackers with administrator-level access to inject arbitrary web scripts into category descriptions.

When other users visit pages displaying these category descriptions, the malicious scripts will execute in their browsers.

This can lead to unauthorized actions such as stealing user credentials, session hijacking, defacement, or spreading malware.

Because the attack requires high-level privileges, the risk is somewhat limited to compromised or malicious administrators, but the impact on site users can be significant.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should update or remove the Allow HTML in Category Descriptions plugin if it is installed and running a version up to and including 1.2.4.

Additionally, ensure that only trusted users have administrator-level access, as the vulnerability requires authenticated attackers with administrator privileges.

If updating is not immediately possible, consider disabling the plugin or restricting access to category descriptions to prevent injection of arbitrary scripts.

Also, verify that your WordPress installation is either not multi-site or that the unfiltered_html capability is enabled for trusted users, as the vulnerability only affects multi-site installations or those with unfiltered_html disabled.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0693. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart