WebCodingPlace Responsive Posts Carousel Pro CVE-2025-68548
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows Stored XSS.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.2.
AnalysisAI
Stored cross-site scripting (XSS) in WebCodingPlace Responsive Posts Carousel Pro WordPress plugin versions 15.2 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise site integrity and steal sensitive user data. EPSS exploitation probability is notably low (0.04%, 14th percentile), suggesting limited real-world attack incentive despite the stored nature of the flaw.
Technical ContextAI
This is a CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability. The Responsive Posts Carousel Pro plugin, a WordPress extension that displays posts in carousel format, fails to properly sanitize or escape user-supplied input before rendering it in HTML responses. Stored XSS vulnerabilities are more dangerous than reflected variants because the malicious payload persists in the application's database and executes for all subsequent visitors who view the affected content. WordPress plugins operate within the wp-admin and frontend contexts with direct database and rendering access, making input validation critical. The vulnerability likely exists in carousel configuration fields, post metadata, or display settings where user input is accepted but not properly escaped using WordPress sanitization functions (such as sanitize_text_field, wp_kses_post, or esc_html).
Affected ProductsAI
WebCodingPlace Responsive Posts Carousel Pro WordPress plugin from version 15.2 and all prior versions. The plugin is identified by the WordPress plugin directory slug 'responsive-posts-carousel-pro' and can be referenced using the CPE pattern wp:plugin:responsive-posts-carousel-pro. Detailed vulnerability information is available in the Patchstack database at https://patchstack.com/database/Wordpress/Plugin/responsive-posts-carousel-pro/vulnerability/wordpress-responsive-posts-carousel-pro-plugin-15-2-cross-site-scripting-xss-vulnerability.
RemediationAI
Users should immediately update Responsive Posts Carousel Pro to the patched version released following version 15.2. Visit the WordPress plugin repository or the plugin's official site to download and install the latest available version, which should include input sanitization fixes. If a patched version is not yet released, administrators should disable the plugin temporarily or restrict access to carousel configuration and post editing features to trusted users only, using WordPress user role management. For additional details and patch status confirmation, consult the vulnerability report at https://patchstack.com/database/Wordpress/Plugin/responsive-posts-carousel-pro/vulnerability/wordpress-responsive-posts-carousel-pro-plugin-15-2-cross-site-scripting-xss-vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today