Featured Posts Grid CVE-2025-28905
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chaser324 Featured Posts Grid allows Stored XSS. This issue affects Featured Posts Grid: from n/a through 1.7.
AnalysisAI
Stored cross-site scripting in Featured Posts Grid WordPress plugin (versions up to 1.7) allows remote attackers to inject malicious scripts that execute in administrator browsers. Patchstack reporting indicates this is a CSRF-to-Stored-XSS chain, meaning attackers can trick authenticated administrators into unknowingly storing malicious payloads. EPSS probability is low (0.09%, 26th percentile) with no CISA KEV listing, indicating targeted rather than widespread exploitation risk. The Changed scope (S:C) in CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope.
Technical ContextAI
This vulnerability is a Stored XSS (CWE-79) in the Featured Posts Grid WordPress plugin, which allows users to display featured posts in a grid layout. The plugin fails to properly sanitize user input before storing and rendering it in the administrative interface. Based on Patchstack's reference to 'CSRF to Stored XSS', the attack chain likely exploits inadequate CSRF protections on administrative forms combined with insufficient output encoding. When malicious input is saved to the WordPress database through a CSRF-exploited form submission, it is later rendered without proper escaping in administrator contexts. The network attack vector (AV:N) with no authentication required (PR:N) suggests the CSRF component can be triggered remotely, though actual exploitation requires tricking an authenticated administrator (UI:R).
Affected ProductsAI
WordPress Featured Posts Grid plugin versions from earliest release through 1.7 are vulnerable. The plugin is authored by Chaser324 and distributed through the WordPress plugin repository. CPE data not provided in NVD record. According to Patchstack vulnerability database (linked in references), all versions up to and including 1.7 contain the improper input neutralization flaw that enables the CSRF-to-Stored-XSS attack chain.
RemediationAI
Update Featured Posts Grid plugin to version 1.7.1 or later if available. Verify patched version availability at the official WordPress plugin repository or Patchstack advisory (https://patchstack.com/database/wordpress/plugin/featured-posts-grid/vulnerability/wordpress-featured-posts-grid-plugin-1-7-csrf-to-stored-xss-vulnerability). If no patch is released, remove the plugin and replace with actively maintained alternatives like 'Post Grid' or 'Content Views'. As interim mitigation, restrict plugin administrative access to only trusted users via role-based access controls, implement Content Security Policy headers to limit inline script execution (note: may break legitimate plugin functionality requiring testing), and educate administrators not to click external links while logged into WordPress admin panel. Monitor WordPress database tables used by the plugin for suspicious script tags in stored post metadata. Note that CSP implementation requires theme-level changes and may conflict with other plugins using inline JavaScript.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today