CVE-2025-5084

MEDIUM
2025-07-24 [email protected]
WordPress XSS Post Grid Master
6.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 08, 2026 - 17:22 vuln.today
PoC Detected
Apr 08, 2026 - 17:20 vuln.today
Public exploit code
CVE Published
Jul 24, 2025 - 10:15 nvd
MEDIUM 6.1

DescriptionNVD

The Post Grid Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘argsArray['read_more_text']’ parameter in all versions up to, and including, 3.4.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

AnalysisAI

Reflected cross-site scripting in Post Grid Master WordPress plugin versions up to 3.4.13 allows unauthenticated attackers to inject arbitrary JavaScript through the 'argsArray[read_more_text]' parameter due to insufficient input sanitization and output escaping. An attacker can craft a malicious link and trick users into clicking it, causing the injected script to execute in their browser with the victim's privileges. Publicly available exploit code exists, and the vulnerability affects all installations of the plugin through version 3.4.13.

Technical ContextAI

The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic cross-site scripting flaw. The Post Grid Master plugin processes user-supplied input from the 'argsArray[read_more_text]' parameter without properly sanitizing it or escaping output when rendering page content. The parameter likely controls the text of a 'read more' link displayed in post grid layouts, and the plugin fails to apply WordPress escaping functions (such as esc_attr, esc_html, or wp_kses_post) before outputting this value to the page. Because the injection point accepts user input from the query string and reflects it back unsanitized, attackers can embed malicious script tags or event handlers that execute in the context of the affected page. The CPE string cpe:2.3:a:addonmaster:post_grid_master:*:*:*:*:*:wordpress:*:* indicates the vulnerability affects all versions of the plugin across the WordPress plugin ecosystem.

RemediationAI

Update the Post Grid Master plugin to version 3.4.14 or later immediately. WordPress administrators should navigate to their WordPress admin dashboard, go to Plugins, locate Post Grid Master (or ajax-filter-posts), and click Update if available. Alternatively, disable and remove the plugin if an update is unavailable or not planned. Until the update can be applied, consider disabling the plugin or restricting access to pages where it is active. Verify the plugin version in the WordPress plugin directory (https://wordpress.org/plugins/ajax-filter-posts/) to confirm the patched version is available. The official Wordfence vulnerability advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/08137a9e-6e4d-4ca6-954e-e98a44b0c9be) provides additional technical details and timeline information.

Share

CVE-2025-5084 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy