CVE-2025-31039 PUBLISHED

WordPress Category Icon plugin <= 1.0.3 - XML External Entity (XXE) vulnerability

Assigner: Patchstack
Reserved: 26.03.2025 Published: 09.06.2025 Updated: 28.04.2026

Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon category-icon allows XML Entity Linking.This issue affects Category Icon: from n/a through <= 1.0.3.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Product Status

Vendor pixelgrade
Product Category Icon
Versions Default: unaffected
  • affected from 0 to 1.0.3 (incl.)

Credits

  • mcdruid | Patchstack Bug Bounty Program finder

References

Problem Types

  • Improper Restriction of XML External Entity Reference CWE

Impacts

  • XML Entity Linking