CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31039 – WordPress Category Icon plugin <= 1.0.2 - XML External Entity (XXE) vulnerability
https://notcve.org/view.php?id=CVE-2025-31039
03 Jun 2025 — Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon allows XML Entity Linking. This issue affects Category Icon: from n/a through 1.0.2. The Category Icon plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in versions up to, and including, 1.0.2. This may make it possible for allow authenticated attackers, with author-level access and above, to extract sensitive data or achieve code execution in vulnerable configurations. • https://patchstack.com/database/wordpress/plugin/category-icon/vulnerability/wordpress-category-icon-plugin-1-0-2-xml-external-entity-xxe-vulnerability?_s_id=cve • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31825 – WordPress Category Icon plugin <= 1.0.0 - Arbitrary File Download vulnerability
https://notcve.org/view.php?id=CVE-2025-31825
03 Apr 2025 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in pixelgrade Category Icon allows Path Traversal. This issue affects Category Icon: from n/a through 1.0.0. The Category Icon plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. • https://patchstack.com/database/wordpress/plugin/category-icon/vulnerability/wordpress-category-icon-plugin-1-0-0-arbitrary-file-download-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •