CVE-2025-49354
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in Mindstien Technologies Recent Posts From Each Category recent-posts-from-each-category allows Stored XSS.This issue affects Recent Posts From Each Category: from n/a through <= 1.4.
Analysis
Stored XSS vulnerability in the Recent Posts From Each Category WordPress plugin through version 1.4 exploitable via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that execute in the context of site administrators and visitors. The vulnerability combines a CSRF flaw with inadequate input sanitization, enabling persistent payload storage that affects all users viewing affected plugin output.
Technical Context
The Recent Posts From Each Category WordPress plugin fails to implement proper CSRF token validation (CWE-352) on administrative or user-input endpoints, combined with insufficient output encoding or input validation. This allows an attacker to craft a malicious request that, when executed by an authenticated administrator through social engineering, stores unsanitized user-controlled data in the WordPress database. When the plugin renders this data on the frontend via shortcodes or widgets, the stored JavaScript payload executes in visitor browsers without sanitization, achieving Stored XSS (CWE-79 derived impact). The plugin identifier is recent-posts-from-each-category, distributed through the WordPress plugin repository.
Affected Products
Recent Posts From Each Category WordPress plugin from version 1.0 (implied) through version 1.4 inclusive. The plugin is identified by slug recent-posts-from-each-category and hosted on the official WordPress plugin repository. No specific CPE string provided in vulnerability data, though the WordPress plugin ecosystem is commonly referenced as wp:plugin:recent-posts-from-each-category.
Remediation
Update to Recent Posts From Each Category version 1.5 or later, which should address the CSRF token validation and output sanitization flaws. Administrators using version 1.4 or earlier should navigate to WordPress admin dashboard > Plugins > Installed Plugins, find Recent Posts From Each Category, and click Update immediately. If an update is not yet available, deactivate and remove the plugin until a patched version is released. Review Patchstack's vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/recent-posts-from-each-category/vulnerability/wordpress-recent-posts-from-each-category-plugin-1-4-cross-site-request-forgery-csrf-vulnerability for the latest patch status and timeline.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today