CVE-2026-0693

Name of the Vulnerable Software and Affected Versions Allow HTML in Category Descriptions plugin for WordPress versions up to and including 1.2.4

Description The Allow HTML in Category Descriptions plugin for WordPress is susceptible to Stored Cross-Site Scripting through category descriptions. This occurs because the plugin removes the wp kses data output filter without verifying user capabilities for term description, link description, link notes, and user description fields. This allows authenticated attackers with administrator-level access or higher to inject arbitrary web scripts into category descriptions. These scripts will execute when a user accesses a page displaying the category description. This issue specifically impacts multi-site installations and those with unfiltered html disabled. The issue stems from a mismatch between input and output permissions, where input is authorized but output lacks proper safeguarding.

Recommendations Versions prior to and including 1.2.4 should be updated to a newer, fixed version when available.