Category Icon Security & Risk Analysis
wordpress.org/plugins/category-iconA WordPress plugin to easily attach an icon to a category, tag or any other taxonomy term.
Is Category Icon Safe to Use in 2026?
Mostly Safe
Score 72/100Category Icon is generally safe to use. 4 past CVEs were resolved.
The "category-icon" plugin exhibits a mixed security posture. On one hand, the static analysis shows a very small attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events accessible without proper authentication checks. The absence of dangerous functions and external HTTP requests are also positive indicators. However, there are significant concerns stemming from the vulnerability history and code analysis. The plugin has a history of four known CVEs, with one still unpatched, including medium severity vulnerabilities like XML External Entity (XXE) injection, Path Traversal, and Cross-Site Scripting (XSS). The code analysis reveals that only 50% of SQL queries use prepared statements, and a concerning 53% of output is not properly escaped. Furthermore, the complete lack of nonce and capability checks on any entry points is a critical oversight, especially given the historical vulnerabilities that often exploit these weaknesses. The taint analysis showing zero flows is positive but may be limited by the small number of entry points analyzed or the specific types of taint sources examined.
Key Concerns
- Unpatched CVE (medium severity)
- Medium severity vulnerabilities (XXE, Path Traversal, XSS)
- SQL queries not using prepared statements
- High percentage of unescaped output
- Missing nonce checks
- Missing capability checks
Category Icon Security Vulnerabilities
CVEs by Year
Severity Breakdown
4 total CVEs
Category Icon <= 1.0.2 - Authenticated (Editor+) Stored Cross-Site Scripting
Category Icon <= 1.0.2 - Authenticated (Author+) XML External Entity Injection
Category Icon <= 1.0.1 - Authenticated (Author+) Arbitrary File Download
Category Icon <= 1.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Category Icon Release Timeline
Category Icon Code Analysis
SQL Query Safety
Output Escaping
Category Icon Attack Surface
WordPress Hooks 11
Maintenance & Trust
Category Icon Maintenance & Trust
Maintenance Signals
Community Trust
Category Icon Alternatives
Taxonomy Images
taxonomy-images
Associate images from your media library to categories, tags and custom taxonomies.
Advanced Category and Custom Taxonomy Image
advanced-category-and-custom-taxonomy-image
Add Custom Image To Your Category / Custom Taxonomy Field With Advanced Category and Custom Taxonomy Image Plugin.
Better Categories Images
better-categories-images
The Better Categories Images Plugin allow you to add image with any category or taxonomy.
Display Category and Taxonomy List
display-category-and-taxonomy-list
Display WordPress categories or custom taxonomies in a responsive grid with featured images, titles and more. Fully customizable via settings.
Category Order and Taxonomy Terms Order
taxonomy-terms-order
Drag-and-drop ordering for Categories & any taxonomy (hierarchically) using a Drag and Drop Sortable JavaScript capability.
Category Icon Developer Profile
8 plugins · 37K total installs
How We Detect Category Icon
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/category-icon/inc/extras.php/wp-content/plugins/category-icon/admin/js/category-icon-admin.jscategory-icon/style.css?ver=category-icon/admin/js/category-icon-admin.js?ver=HTML / DOM Fingerprints
category-icon-wrappercategory-icon-upload-fieldcategory-icon-previewcategory-icon-remove-buttoncategory-icon-add-button<!-- Category Icon Settings -->data-category-icon-iddata-taxonomydata-term-idcategoryIconAdmin/wp-json/category-icon/v1/upload<div class="category-icon-wrapper">