List Category Posts
Monthly
Stored cross-site scripting in List Category Posts plugin for WordPress (all versions up to 0.94.0) allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, enabling persistent payload execution whenever affected pages are accessed. CVSS 6.4 reflects moderate confidentiality and integrity impact with network-level access; exploitation requires contributor-level WordPress account.
The List category posts WordPress plugin (versions through 0.93.1) contains a DOM-based cross-site scripting (XSS) vulnerability that allows authenticated attackers with high privileges to inject malicious scripts into web pages viewed by other users. An attacker can exploit this through improper input neutralization during web page generation, potentially leading to session hijacking, credential theft, or defacement. With a CVSS score of 5.9 and requiring high privileges plus user interaction, this represents a moderate-severity risk primarily to WordPress sites using this specific plugin.
The List category posts WordPress plugin before 0.90.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting in List Category Posts plugin for WordPress (all versions up to 0.94.0) allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, enabling persistent payload execution whenever affected pages are accessed. CVSS 6.4 reflects moderate confidentiality and integrity impact with network-level access; exploitation requires contributor-level WordPress account.
The List category posts WordPress plugin (versions through 0.93.1) contains a DOM-based cross-site scripting (XSS) vulnerability that allows authenticated attackers with high privileges to inject malicious scripts into web pages viewed by other users. An attacker can exploit this through improper input neutralization during web page generation, potentially leading to session hijacking, credential theft, or defacement. With a CVSS score of 5.9 and requiring high privileges plus user interaction, this represents a moderate-severity risk primarily to WordPress sites using this specific plugin.
The List category posts WordPress plugin before 0.90.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.