List of Posts from each Category CVE-2025-28894
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress allows Stored XSS. This issue affects List of Posts from each Category plugin for WordPress: from n/a through 2.0.
AnalysisAI
Stored XSS via CSRF vulnerability in the List of Posts from each Category WordPress plugin (versions up to 2.0) allows remote attackers to inject persistent malicious scripts into the site by tricking an authenticated administrator into submitting a crafted request. The CSRF weakness (CWE-352) enables the XSS payload delivery without direct admin interaction with malicious content. Publicly disclosed via Patchstack with low EPSS score (0.05%, 14th percentile), indicating minimal observed exploitation attempts despite network-based attack vector requiring only user interaction.
Technical ContextAI
This is a CSRF-to-XSS chain vulnerability in a WordPress plugin that displays categorized post listings. The CSRF flaw (CWE-352) stems from missing or inadequate nonce validation on administrative functions that accept user input for display configuration. When an authenticated WordPress administrator with plugin management privileges is socially engineered to visit an attacker-controlled page or click a malicious link while logged into their WordPress dashboard, the CSRF triggers a forged request that submits XSS payloads. These payloads are stored in the WordPress database (likely in plugin settings or widget configurations) and subsequently rendered to other users viewing the affected pages. The changed scope (S:C) in the CVSS vector indicates the XSS executes in the victim's browser context beyond the vulnerable plugin component itself. CPE data not provided; affected product identified as 'list-posts-by-category' WordPress plugin maintained by frucomerci, versions through 2.0.
Affected ProductsAI
The vulnerability affects the List of Posts from each Category plugin for WordPress developed by frucomerci, impacting all versions from the initial release through version 2.0 inclusive. The plugin WordPress.org slug is 'list-posts-by-category'. According to Patchstack database reference, installations running version 2.0 or earlier are vulnerable to this CSRF-to-stored-XSS attack chain. No specific WordPress core version requirements are documented, but the plugin requires WordPress with admin dashboard functionality and user authentication capabilities.
RemediationAI
Upgrade the List of Posts from each Category plugin to a patched version newer than 2.0 if available through the WordPress plugin repository or vendor channels. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/list-posts-by-category/vulnerability/wordpress-list-of-posts-from-each-category-plugin-for-wordpress-plugin-2-0-csrf-to-stored-xss-vulnerability for specific patch version guidance and release timeline. If no patched version is confirmed available, implement compensating controls: disable or uninstall the plugin if not business-critical (eliminates attack surface entirely); restrict WordPress admin dashboard access to trusted IP ranges via firewall rules or .htaccess (reduces CSRF exposure but impacts admin mobility); implement Content Security Policy headers to mitigate XSS execution (defense-in-depth, but may break legitimate plugin JavaScript functionality); train administrators to verify WordPress nonce tokens in URLs and avoid clicking external links while authenticated to wp-admin (relies on user discipline). As an additional layer, review plugin settings and widget configurations for suspicious JavaScript or HTML injection that may indicate prior compromise.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today