CVE-2026-0693 in Allow HTML in Category Descriptions Plugin
Summary
by MITRE • 02/14/2026
The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the `wp_kses_data` output filter for term_description, link_description, link_notes, and user_description fields without checking user capabilities. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in category descriptions that will execute whenever a user accesses a page where the category description is displayed. This only affects multi-site installations and installations where unfiltered_html has been disabled.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified in CVE-2026-0693 affects the Allow HTML in Category Descriptions plugin for WordPress, representing a critical stored cross-site scripting weakness that can be exploited by authenticated attackers with administrator-level privileges or higher. This flaw exists within all plugin versions up to and including 1.2.4, creating a persistent security risk that allows malicious code injection directly into category descriptions. The vulnerability stems from the plugin's improper handling of HTML sanitization mechanisms, specifically its unconditional removal of WordPress's built-in `wp_kses_data` output filter for several critical fields including term_description, link_description, link_notes, and user_description. This technical oversight fundamentally undermines the platform's security architecture by bypassing essential content validation processes that are designed to prevent malicious script execution.
The operational impact of this vulnerability is severe and multifaceted, as it enables attackers to execute arbitrary web scripts whenever users access pages displaying affected category descriptions. This stored XSS vulnerability operates through a sophisticated attack vector that leverages the plugin's design flaw to remove essential sanitization filters without proper capability verification. The attack requires only an authenticated administrator-level account to exploit, making it particularly dangerous in environments where administrative privileges are compromised or where attackers have gained access through other means. The vulnerability's scope is further limited to multi-site WordPress installations and environments where the unfiltered_html capability has been disabled, which represents a significant portion of enterprise WordPress deployments and security-conscious installations.
From a cybersecurity perspective, this vulnerability maps directly to CWE-79 which describes Cross-Site Scripting flaws, and aligns with ATT&CK technique T1059.001 for Command and Scripting Interpreter, specifically through the execution of malicious scripts in web browsers. The attack chain begins with an authenticated administrator gaining access to the plugin's category management interface, followed by the injection of malicious JavaScript code into category descriptions, and concludes with the execution of this code when unsuspecting users browse pages containing the compromised descriptions. The vulnerability's persistence stems from the stored nature of the attack, meaning that the malicious scripts remain active until manually removed from the database, potentially affecting all users who encounter the compromised content. This makes the vulnerability particularly dangerous for organizations with high user traffic or those hosting content that attracts significant visitor engagement.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term security hardening measures. The primary recommendation involves upgrading to the latest version of the Allow HTML in Category Descriptions plugin where the vulnerability has been patched and the improper filter removal has been corrected. Organizations should also implement strict access controls and privilege management to minimize the attack surface, ensuring that only trusted administrators have access to category management functions. Additionally, security monitoring should include regular scanning for malicious scripts in database entries, particularly in fields related to term descriptions and user-generated content. The implementation of Content Security Policy (CSP) headers can provide an additional layer of protection by preventing the execution of unauthorized scripts even if the vulnerability is exploited. Network segmentation and regular security audits should also be implemented to detect and prevent unauthorized access to administrative interfaces. Organizations should also consider implementing automated patch management systems to ensure timely deployment of security updates across all WordPress installations.