We verified a Stored XSS (CVE-2026-0693) in the "HTML in Category Descriptions" @WordPress plugin.
The Flaw: The plugin correctly restricts input but unintentionally removes global output filters (wp_kses_data) for all users. The Impact: Malicious scripts in category descriptions execute for any visitor. The Validation: Confirmed via autonomous PoC.
Security requires validating the full data lifecycle, not just lines of code.
Vulnerability details: https://www.cve.org/CVERecord?id=CVE-2026-0693
Top comments (0)