CVE-2025-31039 CRITICAL

CVE-2025-31039: WordPress Category Icon plugin <= 1.0.3 - XML External Entity (XXE) vulnerability

Vendor Pixelgrade
Product Category Icon
Weakness CWE-611 · XXE
Published June 9, 2025
Last update April 28, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon category-icon allows XML Entity Linking.This issue affects Category Icon: from n/a through <= 1.0.3.

Explanation of Vulnerability in Simple Terms

02Summary

Category Icon versions 1.0.3 and earlier contain an XML External Entity (XXE) vulnerability. An authenticated administrator can upload a malicious XML file that causes the site to read local files or make outbound requests. The vulnerability affects confidentiality, integrity, and availability of the site. Update to a version newer than 1.0.3.

What an attacker can do

03Attacker Capabilities

Read local files, modify site data, or make the site send requests to external systems.

Potential impact on your site

04Site Impact

An admin account compromise could lead to data theft, site defacement, or lateral network attacks.

Conditions required to exploit

05Prerequisites

Attacker must have administrator privileges and upload a crafted XML file.

Key dates

06Disclosure timeline

June 9, 2025 CVE published
April 28, 2026 Record updated