Attack Vectors

Allow HTML in Category Descriptions (slug: allow-html-in-category-descriptions) has a Medium severity vulnerability (CVSS 4.4; CVE: CVE-2026-0693) that can be triggered by an authenticated user with Administrator (or higher) access. The attack involves placing malicious script content into a category description, which is then stored in WordPress and can execute later when a page displays that category description.

In practical terms, this is most relevant in organizations where multiple people (or third parties) have admin-level access—such as agencies, contractors, or distributed teams. If one of those accounts is compromised, an attacker could use this weakness to insert harmful content that runs automatically for visitors or staff viewing affected pages.

Security Weakness

The issue is a form of stored cross-site scripting (Stored XSS). According to the published advisory, the plugin removes WordPress’s standard output filtering (specifically the wp_kses_data filter) for certain description fields, including term_description. The key risk is that this removal happens without checking user capabilities, which contributes to unsafe handling of content in those fields.

Because the injected content is stored and later displayed to others, the risk isn’t limited to a single session—this can persist until discovered and removed. The vulnerability affects all versions up to and including 1.2.4, and there is no known patch available at the time of the advisory.

Technical or Business Impacts

For executives and compliance stakeholders, the main concern is that a successful Stored XSS event can undermine trust in your brand and create downstream risks that look like “marketing problems” but quickly become legal, compliance, and revenue problems. Impact can include unauthorized changes to what users see on your site, deceptive on-page messages, or scripts that attempt to capture user interactions—especially on pages where category descriptions are displayed.

Business impacts may include reputation damage, reduced conversion rates, increased support volume, and potential compliance concerns depending on what data is exposed or how visitors are affected. Even though this vulnerability requires Administrator-level access, that requirement doesn’t eliminate risk—admin accounts are high-value targets and often shared across teams, agencies, and tools.

Mitigation note: since no patch is currently known, organizations should assess risk tolerance and consider strong compensating controls (for example, minimizing and monitoring administrator access) and, where appropriate, uninstalling Allow HTML in Category Descriptions and replacing it with a safer alternative.

Similar Attacks

Stored XSS has repeatedly been used to damage brands, redirect traffic, and inject unwanted content into legitimate sites. While the exact mechanics vary by platform and plugin, these real-world incidents illustrate the broader pattern:

Elementor Pro vulnerability abuse leading to site hijacks (BleepingComputer)

Wordfence reporting on a critical Elementor vulnerability (Wordfence)