WordPress Allow HTML in Category Descriptions Plugin Allows Malicious Code in Category Descriptions

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.4

WordPress Allow HTML in Category Descriptions Plugin Allows Malicious Code in Category Descriptions

CVE-2026-0693

Summary

An attacker with admin-level access can inject malicious code into category descriptions, which can affect users who view those categories. This only applies to multi-site WordPress installations where extra security settings are in place. Update the plugin to the latest version to fix this issue.

Original title

Original description

The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the `wp_kses_data` output filter for term_description, link_description, link_notes, and user_description fields without checking user capabilities. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in category descriptions that will execute whenever a user accesses a page where the category description is displayed. This only affects multi-site installations and installations where unfiltered_html has been disabled.

nvd CVSS3.1 4.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026