CVE-2025-68548
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows Stored XSS.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.2.
Analysis
Stored cross-site scripting (XSS) in WebCodingPlace Responsive Posts Carousel Pro WordPress plugin versions 15.2 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise site integrity and steal sensitive user data. EPSS exploitation probability is notably low (0.04%, 14th percentile), suggesting limited real-world attack incentive despite the stored nature of the flaw.
Technical Context
This is a CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability. The Responsive Posts Carousel Pro plugin, a WordPress extension that displays posts in carousel format, fails to properly sanitize or escape user-supplied input before rendering it in HTML responses. Stored XSS vulnerabilities are more dangerous than reflected variants because the malicious payload persists in the application's database and executes for all subsequent visitors who view the affected content. WordPress plugins operate within the wp-admin and frontend contexts with direct database and rendering access, making input validation critical. The vulnerability likely exists in carousel configuration fields, post metadata, or display settings where user input is accepted but not properly escaped using WordPress sanitization functions (such as sanitize_text_field, wp_kses_post, or esc_html).
Affected Products
WebCodingPlace Responsive Posts Carousel Pro WordPress plugin from version 15.2 and all prior versions. The plugin is identified by the WordPress plugin directory slug 'responsive-posts-carousel-pro' and can be referenced using the CPE pattern wp:plugin:responsive-posts-carousel-pro. Detailed vulnerability information is available in the Patchstack database at https://patchstack.com/database/Wordpress/Plugin/responsive-posts-carousel-pro/vulnerability/wordpress-responsive-posts-carousel-pro-plugin-15-2-cross-site-scripting-xss-vulnerability.
Remediation
Users should immediately update Responsive Posts Carousel Pro to the patched version released following version 15.2. Visit the WordPress plugin repository or the plugin's official site to download and install the latest available version, which should include input sanitization fixes. If a patched version is not yet released, administrators should disable the plugin temporarily or restrict access to carousel configuration and post editing features to trusted users only, using WordPress user role management. For additional details and patch status confirmation, consult the vulnerability report at https://patchstack.com/database/Wordpress/Plugin/responsive-posts-carousel-pro/vulnerability/wordpress-responsive-posts-carousel-pro-plugin-15-2-cross-site-scripting-xss-vulnerability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today