Skip to main content

CVE-2025-49354

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-31 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 06:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Mindstien Technologies Recent Posts From Each Category recent-posts-from-each-category allows Stored XSS.This issue affects Recent Posts From Each Category: from n/a through <= 1.4.

AnalysisAI

Stored XSS vulnerability in the Recent Posts From Each Category WordPress plugin through version 1.4 exploitable via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that execute in the context of site administrators and visitors. The vulnerability combines a CSRF flaw with inadequate input sanitization, enabling persistent payload storage that affects all users viewing affected plugin output.

Technical ContextAI

The Recent Posts From Each Category WordPress plugin fails to implement proper CSRF token validation (CWE-352) on administrative or user-input endpoints, combined with insufficient output encoding or input validation. This allows an attacker to craft a malicious request that, when executed by an authenticated administrator through social engineering, stores unsanitized user-controlled data in the WordPress database. When the plugin renders this data on the frontend via shortcodes or widgets, the stored JavaScript payload executes in visitor browsers without sanitization, achieving Stored XSS (CWE-79 derived impact). The plugin identifier is recent-posts-from-each-category, distributed through the WordPress plugin repository.

Affected ProductsAI

Recent Posts From Each Category WordPress plugin from version 1.0 (implied) through version 1.4 inclusive. The plugin is identified by slug recent-posts-from-each-category and hosted on the official WordPress plugin repository. No specific CPE string provided in vulnerability data, though the WordPress plugin ecosystem is commonly referenced as wp:plugin:recent-posts-from-each-category.

RemediationAI

Update to Recent Posts From Each Category version 1.5 or later, which should address the CSRF token validation and output sanitization flaws. Administrators using version 1.4 or earlier should navigate to WordPress admin dashboard > Plugins > Installed Plugins, find Recent Posts From Each Category, and click Update immediately. If an update is not yet available, deactivate and remove the plugin until a patched version is released. Review Patchstack's vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/recent-posts-from-each-category/vulnerability/wordpress-recent-posts-from-each-category-plugin-1-4-cross-site-request-forgery-csrf-vulnerability for the latest patch status and timeline.

Share

CVE-2025-49354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy