CVE-2025-49354
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Mindstien Technologies Recent Posts From Each Category recent-posts-from-each-category allows Stored XSS.This issue affects Recent Posts From Each Category: from n/a through <= 1.4.
AnalysisAI
Stored XSS vulnerability in the Recent Posts From Each Category WordPress plugin through version 1.4 exploitable via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that execute in the context of site administrators and visitors. The vulnerability combines a CSRF flaw with inadequate input sanitization, enabling persistent payload storage that affects all users viewing affected plugin output.
Technical ContextAI
The Recent Posts From Each Category WordPress plugin fails to implement proper CSRF token validation (CWE-352) on administrative or user-input endpoints, combined with insufficient output encoding or input validation. This allows an attacker to craft a malicious request that, when executed by an authenticated administrator through social engineering, stores unsanitized user-controlled data in the WordPress database. When the plugin renders this data on the frontend via shortcodes or widgets, the stored JavaScript payload executes in visitor browsers without sanitization, achieving Stored XSS (CWE-79 derived impact). The plugin identifier is recent-posts-from-each-category, distributed through the WordPress plugin repository.
Affected ProductsAI
Recent Posts From Each Category WordPress plugin from version 1.0 (implied) through version 1.4 inclusive. The plugin is identified by slug recent-posts-from-each-category and hosted on the official WordPress plugin repository. No specific CPE string provided in vulnerability data, though the WordPress plugin ecosystem is commonly referenced as wp:plugin:recent-posts-from-each-category.
RemediationAI
Update to Recent Posts From Each Category version 1.5 or later, which should address the CSRF token validation and output sanitization flaws. Administrators using version 1.4 or earlier should navigate to WordPress admin dashboard > Plugins > Installed Plugins, find Recent Posts From Each Category, and click Update immediately. If an update is not yet available, deactivate and remove the plugin until a patched version is released. Review Patchstack's vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/recent-posts-from-each-category/vulnerability/wordpress-recent-posts-from-each-category-plugin-1-4-cross-site-request-forgery-csrf-vulnerability for the latest patch status and timeline.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today