CVE-2025-68885

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 06:15 nvd
N/A

Tags

WordPress PHP CSRF XSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in page-carbajal Custom Post Status custom-post-status allows Stored XSS.This issue affects Custom Post Status: from n/a through <= 1.1.0.

Analysis

Cross-site request forgery (CSRF) vulnerability in the WordPress Custom Post Status plugin up to version 1.1.0 enables attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The CSRF protection bypass allows unauthenticated attackers to craft malicious requests that, when clicked by an admin, result in persistent JavaScript injection into the WordPress database. This is a chained vulnerability where CSRF-enabled request forgery leads to XSS payload storage.

Technical Context

The Custom Post Status WordPress plugin (identified by CPE references to wordpress-plugin-custom-post-status) fails to implement adequate CSRF token validation (CWE-352) in its administrative functionality. The root cause is insufficient nonce verification on sensitive endpoints that handle post status modifications. When an admin visits a malicious site containing a crafted request, the browser automatically includes their WordPress session cookies, allowing the attacker's request to execute in the admin's security context. The vulnerability is compounded by insufficient input sanitization in the status-handling code, permitting JavaScript payloads to be stored in post metadata or custom fields without proper escaping. This stored XSS payload is then rendered to other administrators or site visitors, creating a persistent attack vector.

Affected Products

The Custom Post Status WordPress plugin is affected in all versions from the initial release through version 1.1.0 inclusive. This plugin is available via the WordPress plugin repository and is referenced in the Patchstack vulnerability database. No specific CPE string distinguishing major/minor versions within the 0.x and 1.x ranges is provided, but the vulnerability affects any installation using this plugin up to and including the 1.1.0 release.

Remediation

Update the Custom Post Status plugin to a version beyond 1.1.0 (exact patched version not specified in provided intelligence; check the official WordPress plugin repository or Patchstack advisory for the next available release). Immediate remediation should also include disabling the plugin if an updated version is unavailable and a patched release timeline is unclear. Additionally, review any post status changes or custom fields modified by untrusted users during the vulnerability window, and audit WordPress user activity logs for anomalous admin actions. Verify that nonce fields are properly generated and validated on all admin-facing forms, and ensure all user input related to post status modifications is properly sanitized and escaped before storage or output. Refer to https://patchstack.com/database/Wordpress/Plugin/custom-post-status/ for the latest advisory and patched version details.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-68885 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy