CVE-2026-0693 is a stored cross-site scripting vulnerability found in the WordPress plugin 'Allow HTML in Category Descriptions' by arnoesterhuizen, affecting all versions up to and including 1.2.4. The root cause is the plugin's unconditional removal of the wp_kses_data output filter on fields such as term_description, link_description, link_notes, and user_description without verifying the user's capability to input HTML safely. This flaw allows authenticated users with administrator-level privileges or higher to inject arbitrary JavaScript into category descriptions. When any user accesses a page displaying these category descriptions, the injected scripts execute in their browser context, potentially leading to session hijacking, defacement, or other client-side attacks. The vulnerability specifically impacts WordPress multisite installations or those where the unfiltered_html capability is disabled, as these configurations normally restrict HTML input to trusted users. The attack vector requires high privileges (administrator or above), no user interaction is needed once the script is injected, and the scope is limited to sites using this plugin in the specified configurations. The CVSS 3.1 base score is 4.4, indicating medium severity due to the combination of network attack vector, high attack complexity, and required privileges. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risk of improper input sanitization and capability checks in WordPress plugins that extend HTML input functionality.

For European organizations, the impact of CVE-2026-0693 is primarily on the confidentiality and integrity of user sessions and data within affected WordPress multisite environments. Successful exploitation could allow an attacker with administrator privileges to execute malicious scripts in the browsers of site visitors or other administrators, potentially leading to session hijacking, unauthorized actions, or defacement. While availability is not directly impacted, the reputational damage and potential data leakage could be significant for organizations relying on WordPress for public-facing or internal multisite deployments. The requirement for administrator-level access limits the risk to insider threats or compromised admin accounts, but given the widespread use of WordPress in Europe, especially in government, education, and media sectors, the vulnerability could be leveraged in targeted attacks. Organizations with strict content policies disabling unfiltered_html are particularly vulnerable, as the plugin bypasses these restrictions. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

European organizations should take the following specific actions to mitigate CVE-2026-0693: 1) Immediately audit WordPress multisite installations for the presence of the 'Allow HTML in Category Descriptions' plugin and assess usage of category descriptions containing HTML. 2) Restrict administrator privileges to trusted personnel and enforce strong authentication mechanisms to reduce the risk of privilege abuse. 3) Temporarily disable or remove the vulnerable plugin until a patched version is released. 4) Monitor category descriptions and other affected fields for suspicious or unexpected HTML or JavaScript content, using automated scanning tools where possible. 5) Implement Content Security Policy (CSP) headers to limit the impact of potential XSS payloads by restricting script execution sources. 6) Educate administrators about the risks of injecting untrusted HTML content and enforce strict content input policies. 7) Stay updated with vendor advisories and apply patches promptly once available. 8) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block malicious scripts in category descriptions. These measures go beyond generic advice by focusing on the specific plugin, multisite configurations, and administrative controls.