Plugin Name	Allow HTML in Category Descriptions
Type of Vulnerability	Cross-Site Scripting (XSS)
CVE Number	CVE-2026-0693
Urgency	Low
CVE Publish Date	2026-02-13
Source URL	CVE-2026-0693

Urgent: Stored XSS in “Allow HTML in Category Descriptions” (<= 1.2.4) — What WordPress Site Owners Must Do Now

Summary: A stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-0693) has been disclosed in the WordPress plugin “Allow HTML in Category Descriptions” (versions ≤ 1.2.4). An authenticated user with Administrator-level privileges can inject malicious HTML/JavaScript into category descriptions that can later execute in visitors’ or other administrators’ browsers. There is currently no official patch for the vulnerable versions. This advisory explains technical details, threat scenarios, immediate mitigations, detection and clean-up steps, and longer-term hardening from the perspective of a Hong Kong security expert.

Note: If you run this plugin and have an affected version installed, treat this as a high-priority site security task — even though the vulnerability requires administrator privileges, the impact can be significant in practice.

What is the vulnerability?

Type: Stored Cross-Site Scripting (XSS).
Affected component: WordPress plugin “Allow HTML in Category Descriptions” — versions ≤ 1.2.4.
CVE: CVE-2026-0693.
CVSS: 5.9 (medium), Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L.
Root cause: The plugin allows administrators to save unfiltered HTML in taxonomy descriptions without proper sanitization or output encoding. Malicious JavaScript stored in a category description can be executed in the context of a page that renders that description (front-end or certain admin views), enabling cookie theft, privilege abuse, or actions performed with the victim’s browser session.

Why this matters: Administrators are trusted accounts. An attacker who compromises an admin account (or tricks an admin to save a crafted description) can persist scripts that victimize other admin users or site visitors. Consequences include site defacement, credential harvesting, malicious redirects, or full site takeover through chained attacks.

How an attacker can exploit this

Attacker obtains or compromises an Administrator account (phishing, password reuse, insider), or tricks an admin into saving a payload.
Through the plugin interface (category edit screen) or another entry point that updates taxonomy descriptions, the attacker injects a payload into the category description field — e.g., , an SVG with an onload/onerror handler, or attribute-based payloads such as onmouseover, srcset, or javascript: URIs.
The payload is stored in the database (term_taxonomy.description).
When an admin or visitor views the category page (or any admin page rendering that description), the script runs in their browser within the site’s origin.
Possible attacker actions include:
- Collect cookies/localStorage and send them to a remote server.
- Use the victim’s authenticated browser session to call WordPress REST/AJAX endpoints (potentially creating users, installing plugins, modifying options) if nonce or capability checks are weak.
- Inject further malicious content (ads, redirects, credential harvesting forms) or modify admin pages.

Important nuance: Many WordPress installations set auth cookies as HttpOnly, preventing direct cookie access by JS. However, JavaScript can still perform authenticated XHR/fetch requests if same-origin and nonce protections are absent or if nonces are stolen. Attackers can chain XSS with other weaknesses to escalate impact.

User interaction: Although some reports classify this as requiring user interaction (e.g., an admin visiting a crafted page), stored XSS is persistent and can execute automatically when pages are loaded.

Immediate, prioritized actions (within the next hour)

Disable the plugin now
Go to wp-admin → Plugins and deactivate “Allow HTML in Category Descriptions” immediately. If you cannot access the admin panel, disable via FTP or hosting file manager by renaming the plugin folder: wp-content/plugins/allow-html-in-category-descriptions → append -disabled.
Put the site in maintenance mode (if appropriate)
If you suspect active exploitation (visible redirects, defacement, spam), temporarily block public access while you investigate.
Audit and rotate administrative credentials
Force password resets for all Administrator accounts. Revoke sessions and tokens (Users → All Users → for each admin, “Log out everywhere” or use session-expiry tools). Enforce strong passwords and enable Two-Factor Authentication (2FA) for admin accounts.
Block new requests that attempt to save XSS payloads
If you can deploy request filtering at the host, CDN, or via a Web Application Firewall (WAF), block POST requests that attempt to save category descriptions containing script-like patterns. See suggested WAF rules later in this article.
Backup your site (files + DB)
Create a full backup before modifying or cleaning the site. Export the database and download wp-content and uploads for forensic copies.
Scan for indicators of compromise immediately
Look for unexpected users, unknown files, scheduled tasks (wp_cron jobs), changed option values, and injected content in posts, pages, and taxonomy descriptions.

Investigation: find malicious category descriptions and scope the damage

Category descriptions are stored in the database; search for script-like content quickly.

Using WP-CLI (recommended if you have shell access):

wp db query "SELECT term_taxonomy_id, term_id, description FROM wp_term_taxonomy WHERE description LIKE '%


wp db query "SELECT term_taxonomy_id, term_id, description FROM wp_term_taxonomy WHERE description REGEXP '(script|onerror|onload|javascript:|data:|iframe|svg|img)';"
If you don’t have WP-CLI, run equivalent SQL in phpMyAdmin or your hosting database tool.
Also check:

Posts and pages: search post_content for similar patterns:
SELECT ID, post_title FROM wp_posts WHERE post_content REGEXP '(


Widgets and theme options: check wp_options for injected HTML.
Plugin/theme files for unfamiliar or obfuscated code.

If you find suspicious descriptions, export them for forensics before making mass modifications.

Cleaning infected descriptions safely
Option A — Manual removal (small number of entries)
Use wp-admin → Posts/Terms editor and manually edit descriptions to remove payloads: Posts → Categories → edit each suspect category description.
Option B — Database cleanup (large or automated cleanup)
Test on a backup first. Example SQL to remove  blocks from term descriptions
UPDATE wp_term_taxonomy
SET description = REGEXP_REPLACE(description, ']*>.*?', '', 'si')
WHERE description REGEXP ']*>';
Stripping event handler attributes like onload/onerror is more complex; prefer a PHP-based sanitizer to avoid breaking legitimate markup.
Option C — Sanitize through a PHP script using WordPress functions (safer)
Create a one-off PHP script and run via WP-CLI eval-file or an admin-only execution path:
 'category',
  'hide_empty' => false,
) );

$allowed_tags = array(
  'a' => array('href' => true, 'title' => true, 'rel' => true, 'target' => true),
  'b' => array(),
  'strong' => array(),
  'i' => array(),
  'em' => array(),
  'p' => array(),
  'br' => array(),
  'ul' => array(),
  'ol' => array(),
  'li' => array(),
  'span' => array('class' => true),
  // add only tags/attributes you trust
);

foreach ( $terms as $term ) {
    $clean = wp_kses( $term->description, $allowed_tags );
    if ( $clean !== $term->description ) {
        wp_update_term( $term->term_id, 'category', array('description' => $clean) );
        echo "Cleaned term {$term->term_id}
";
    }
}
?>
Run with:
wp eval-file sanitize-term-descriptions.php
Notes: Using wp_kses with a minimal allowlist is safer than regex-only approaches. Test on a staging site or backup first.

Suggested defensive WAF rules and short-term virtual patching
If you have the ability to configure a WAF, CDN rules, or host request filtering, add rules to block attempts to store suspicious payloads or to block rendering of known-suspicious content. These measures are temporary mitigations while you remove the vulnerable plugin or fully remediate the site.
Simple detection heuristics

Block POST requests to /wp-admin/term.php or REST endpoints used to save term descriptions that contain , onerror=, onload=, javascript:, data:text/html, svg/onload, iframe, or suspicious src attributes with data:/javascript:.

Block requests that include  with event handlers, or style="background:url(javascript: style injections.


Example ModSecurity-style rule (pseudocode — tune for your environment):
# Block attempts to save category descriptions containing 
			
				
			
					
							
			
			
			





		
		
					
				       
    
  
  
 
 
    
  Review My Order
 0 
    
 
    Suggested for you
    
   
 
 
   
 
     Subtotal
 Taxes & shipping calculated at checkout
 
   
 
     Checkout  
 
 
 
 
 
  
 
      
 0 
 














































Notifications

        
        
        


        
        

    
            
            English
            
                                    Chinese (Hong Kong)                                    Chinese (China)                                    Spanish                                    Hindi                                    French

Community Warning XSS In Category Descriptions(CVE20260693)

Urgent: Stored XSS in “Allow HTML in Category Descriptions” (<= 1.2.4) — What WordPress Site Owners Must Do Now

What is the vulnerability?

How an attacker can exploit this

Immediate, prioritized actions (within the next hour)

Investigation: find malicious category descriptions and scope the damage

Cleaning infected descriptions safely

Suggested defensive WAF rules and short-term virtual patching