CVE-2026-0693 is a stored cross-site scripting vulnerability identified in the 'Allow HTML in Category Descriptions' WordPress plugin developed by arnoesterhuizen. The vulnerability exists in all versions up to and including 1.2.4. The root cause is the plugin's unconditional removal of the wp_kses_data output filter on several fields—term_description, link_description, link_notes, and user_description—without verifying the user's capabilities. Normally, wp_kses_data sanitizes HTML content to prevent injection of malicious scripts. By removing this filter, the plugin allows HTML content, including potentially harmful JavaScript, to be stored and rendered unsanitized. An attacker with administrator-level access or higher can exploit this by injecting arbitrary scripts into category descriptions. These scripts execute in the context of any user visiting pages where the compromised category description is displayed, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability is limited to WordPress multisite installations or sites where the unfiltered_html capability is disabled, as these configurations affect how HTML content is filtered and rendered. The CVSS 3.1 base score is 4.4, indicating medium severity, with attack vector network, high attack complexity, high privileges required, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a risk in environments where the plugin is used and the conditions are met.

The primary impact of CVE-2026-0693 is the potential for stored cross-site scripting attacks, which can compromise the confidentiality and integrity of user sessions and data. An attacker with administrator privileges can inject malicious JavaScript that executes in the browsers of users viewing affected category descriptions. This could lead to theft of authentication cookies, unauthorized actions performed on behalf of users, or defacement of website content. Although exploitation requires high privileges, the vulnerability could facilitate lateral movement or privilege escalation within a compromised WordPress environment. The impact is confined to multisite installations or sites with unfiltered_html disabled, limiting the scope somewhat. However, given WordPress's widespread use, especially in multisite configurations for large organizations, educational institutions, and hosting providers, the vulnerability could affect a significant number of sites. The absence of known exploits reduces immediate risk, but the vulnerability remains a concern for administrators of affected sites. The medium CVSS score reflects the balance between the required privileges and the potential damage from exploitation.

To mitigate CVE-2026-0693, administrators should immediately update the 'Allow HTML in Category Descriptions' plugin to a patched version once available. In the absence of an official patch, temporarily disabling the plugin or restricting its use to trusted administrators can reduce risk. Site owners should verify that the wp_kses_data filter is properly applied to all user-generated content fields, especially term_description and related fields. Implementing strict user role management to limit administrator access reduces the likelihood of malicious script injection. Additionally, enabling Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly auditing category descriptions and other user-editable fields for suspicious content is recommended. For multisite installations, carefully review the configuration of unfiltered_html capabilities and consider enabling it only for trusted users. Employing web application firewalls (WAFs) that detect and block XSS payloads can provide an additional layer of defense. Finally, educating administrators about the risks of injecting arbitrary HTML and scripts into category descriptions is essential to prevent exploitation.