CVE-2025-31039 PUBLISHED

WordPress Category Icon plugin <= 1.0.2 - XML External Entity (XXE) vulnerability

Assigner: Patchstack
Reserved: 26.03.2025 Published: 09.06.2025 Updated: 10.06.2025

Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon allows XML Entity Linking. This issue affects Category Icon: from n/a through 1.0.2.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	pixelgrade
Product	Category Icon
Versions	Default: unaffected affected from n/a to 1.0.2 (incl.)

Credits

Drew / mcdruid (Patchstack Alliance) finder

References

https://patchstack.com/database/wordpress/plugin/category-icon/vulnerability/wordpress-category-icon-plugin-1-0-2-xml-external-entity-xxe-vulnerability?_s_id=cve

Problem Types

CWE-611 Improper Restriction of XML External Entity Reference CWE

Impacts

CAPEC-201 XML Entity Linking