CTparental before 4.45.03 is vulnerable to cross-site scripting (XSS) in the CTparental admin panel. In bl_categires_help.php, the βcategoriesβ variable is assigned with the content of the query string param βcatβ without sanitization or encoding, enabling an attacker to inject malicious code into the output webpage.