Skip to main content

Featured Posts Grid CVE-2025-28905

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:38 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chaser324 Featured Posts Grid allows Stored XSS. This issue affects Featured Posts Grid: from n/a through 1.7.

AnalysisAI

Stored cross-site scripting in Featured Posts Grid WordPress plugin (versions up to 1.7) allows remote attackers to inject malicious scripts that execute in administrator browsers. Patchstack reporting indicates this is a CSRF-to-Stored-XSS chain, meaning attackers can trick authenticated administrators into unknowingly storing malicious payloads. EPSS probability is low (0.09%, 26th percentile) with no CISA KEV listing, indicating targeted rather than widespread exploitation risk. The Changed scope (S:C) in CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope.

Technical ContextAI

This vulnerability is a Stored XSS (CWE-79) in the Featured Posts Grid WordPress plugin, which allows users to display featured posts in a grid layout. The plugin fails to properly sanitize user input before storing and rendering it in the administrative interface. Based on Patchstack's reference to 'CSRF to Stored XSS', the attack chain likely exploits inadequate CSRF protections on administrative forms combined with insufficient output encoding. When malicious input is saved to the WordPress database through a CSRF-exploited form submission, it is later rendered without proper escaping in administrator contexts. The network attack vector (AV:N) with no authentication required (PR:N) suggests the CSRF component can be triggered remotely, though actual exploitation requires tricking an authenticated administrator (UI:R).

Affected ProductsAI

WordPress Featured Posts Grid plugin versions from earliest release through 1.7 are vulnerable. The plugin is authored by Chaser324 and distributed through the WordPress plugin repository. CPE data not provided in NVD record. According to Patchstack vulnerability database (linked in references), all versions up to and including 1.7 contain the improper input neutralization flaw that enables the CSRF-to-Stored-XSS attack chain.

RemediationAI

Update Featured Posts Grid plugin to version 1.7.1 or later if available. Verify patched version availability at the official WordPress plugin repository or Patchstack advisory (https://patchstack.com/database/wordpress/plugin/featured-posts-grid/vulnerability/wordpress-featured-posts-grid-plugin-1-7-csrf-to-stored-xss-vulnerability). If no patch is released, remove the plugin and replace with actively maintained alternatives like 'Post Grid' or 'Content Views'. As interim mitigation, restrict plugin administrative access to only trusted users via role-based access controls, implement Content Security Policy headers to limit inline script execution (note: may break legitimate plugin functionality requiring testing), and educate administrators not to click external links while logged into WordPress admin panel. Monitor WordPress database tables used by the plugin for suspicious script tags in stored post metadata. Note that CSP implementation requires theme-level changes and may conflict with other plugins using inline JavaScript.

Share

CVE-2025-28905 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy