The Recent Posts Widget Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rpwe' shortcode in all versions u

WORDPRESS

06-09-2025 02:20

CVE-2025-6757 Vulnerabilidad documentada

6.4 MEDIUM

Tags

#wordpress

#site

#plugin

#cross

#web

#cross-site

#cross-site scripting

#attackers

#authenticated

#arbitrary

#vulnerable

#scripting

#inject

#execute

#attack

#access

Descripción

The Recent Posts Widget Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rpwe' shortcode in all versions up to, and including, 2.0.2 due insufficient input sanitization output escaping on user supplied attributes. This makes it possible authenticated attackers, with contributor-level access above, inject arbitrary web scripts pages that will execute whenever a accesses an injected page.

https://plugins.trac.wordpress.org/browser/recent-posts-widget-extended/tags/2.0.2/includes/functions.php#L24

https://plugins.trac.wordpress.org/browser/recent-posts-widget-extended/tags/2.0.2/includes/shortcode.php#L14

https://wordpress.org/plugins/recent-posts-widget-extended/#developers

https://www.wordfence.com/threat-intel/vulnerabilities/id/3b70f48f-76a6-459c-8108-3ca008471534?source=cve

Referencia

Link externo

Ver detalles

Fuente

https://nvd.nist.gov/vuln/detail/CVE-2025-6757

Resultados similares

Coincidentes en almenos en 50% de los tags

08-09-2025 CVE-2025-9493
The Admin Menu Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the...
Ver información

08-09-2025 CVE-2025-9442
The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scri...
Ver información