Wp Latest Posts
Monthly
Stored Cross-Site Scripting in the WP Latest Posts WordPress plugin (versions up to and including 5.0.11) allows authenticated attackers with author-level access to plant persistent JavaScript payloads by crafting malicious image src attributes in post content. The plugin's field() and loop() functions in wplp-front.inc.php extract raw src values via regex and reconstruct HTML img elements or CSS background-image declarations through direct string concatenation, entirely bypassing WordPress's built-in kses sanitization. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the scope change to the victim's browser context enables session hijacking or credential theft against any user who visits an injected page.
Stored Cross-Site Scripting in the WP Latest Posts WordPress plugin (versions up to and including 5.0.11) allows authenticated attackers with author-level access to plant persistent JavaScript payloads by crafting malicious image src attributes in post content. The plugin's field() and loop() functions in wplp-front.inc.php extract raw src values via regex and reconstruct HTML img elements or CSS background-image declarations through direct string concatenation, entirely bypassing WordPress's built-in kses sanitization. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the scope change to the victim's browser context enables session hijacking or credential theft against any user who visits an injected page.