CVE-2025-46515
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M A Vinoth Kumar Category Widget category-widget allows Reflected XSS.This issue affects Category Widget: from n/a through <= 2.0.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in WordPress Category Widget plugin <=2.0.2 allows attackers to inject malicious scripts via crafted requests.
CVE-2025-46515 is a reflected cross-site scripting (XSS) vulnerability in the WordPress Category Widget plugin, affecting versions up to and including 2.0.2. The vulnerability arises due to improper neutralization of user input during web page generation [1].
Exploitation requires a privileged user to perform an action, such as clicking a crafted link, but no additional authentication is needed from the attacker. This makes it suitable for mass exploitation campaigns targeting multiple WordPress sites [1].
Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the web page, potentially leading to redirects, advertisement injection, or other malicious activities when visitors access the affected site [1].
The vendor has not yet released a patch, but Patchstack provides a mitigation rule to block attacks. Users are advised to update the plugin as soon as an official patch is available or to contact their hosting provider for assistance [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.