Skip to main content

List of Posts from each Category CVE-2025-28894

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 25, 2026 - 00:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 25, 2026 - 00:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress allows Stored XSS. This issue affects List of Posts from each Category plugin for WordPress: from n/a through 2.0.

AnalysisAI

Stored XSS via CSRF vulnerability in the List of Posts from each Category WordPress plugin (versions up to 2.0) allows remote attackers to inject persistent malicious scripts into the site by tricking an authenticated administrator into submitting a crafted request. The CSRF weakness (CWE-352) enables the XSS payload delivery without direct admin interaction with malicious content. Publicly disclosed via Patchstack with low EPSS score (0.05%, 14th percentile), indicating minimal observed exploitation attempts despite network-based attack vector requiring only user interaction.

Technical ContextAI

This is a CSRF-to-XSS chain vulnerability in a WordPress plugin that displays categorized post listings. The CSRF flaw (CWE-352) stems from missing or inadequate nonce validation on administrative functions that accept user input for display configuration. When an authenticated WordPress administrator with plugin management privileges is socially engineered to visit an attacker-controlled page or click a malicious link while logged into their WordPress dashboard, the CSRF triggers a forged request that submits XSS payloads. These payloads are stored in the WordPress database (likely in plugin settings or widget configurations) and subsequently rendered to other users viewing the affected pages. The changed scope (S:C) in the CVSS vector indicates the XSS executes in the victim's browser context beyond the vulnerable plugin component itself. CPE data not provided; affected product identified as 'list-posts-by-category' WordPress plugin maintained by frucomerci, versions through 2.0.

Affected ProductsAI

The vulnerability affects the List of Posts from each Category plugin for WordPress developed by frucomerci, impacting all versions from the initial release through version 2.0 inclusive. The plugin WordPress.org slug is 'list-posts-by-category'. According to Patchstack database reference, installations running version 2.0 or earlier are vulnerable to this CSRF-to-stored-XSS attack chain. No specific WordPress core version requirements are documented, but the plugin requires WordPress with admin dashboard functionality and user authentication capabilities.

RemediationAI

Upgrade the List of Posts from each Category plugin to a patched version newer than 2.0 if available through the WordPress plugin repository or vendor channels. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/list-posts-by-category/vulnerability/wordpress-list-of-posts-from-each-category-plugin-for-wordpress-plugin-2-0-csrf-to-stored-xss-vulnerability for specific patch version guidance and release timeline. If no patched version is confirmed available, implement compensating controls: disable or uninstall the plugin if not business-critical (eliminates attack surface entirely); restrict WordPress admin dashboard access to trusted IP ranges via firewall rules or .htaccess (reduces CSRF exposure but impacts admin mobility); implement Content Security Policy headers to mitigate XSS execution (defense-in-depth, but may break legitimate plugin JavaScript functionality); train administrators to verify WordPress nonce tokens in URLs and avoid clicking external links while authenticated to wp-admin (relies on user discipline). As an additional layer, review plugin settings and widget configurations for suspicious JavaScript or HTML injection that may indicate prior compromise.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2025-28894 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy