Plattform
wordpress
Komponente
recent-posts-from-each-category
Behoben in
1.4.1
CVE-2025-49354 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Mindstien Technologies Recent Posts From Each Category WordPress plugin. This vulnerability can be exploited to trigger Stored XSS attacks, potentially allowing attackers to inject malicious scripts into the plugin's data. The vulnerability affects versions from 0.0.0 through 1.4, and a fix is expected in a future release.
The CSRF vulnerability in Recent Posts From Each Category allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation can lead to Stored Cross-Site Scripting (XSS). This means that once an attacker injects malicious JavaScript code, it will be stored on the server and executed whenever other users view the affected pages. The impact can range from session hijacking and account takeover to defacement of the website and redirection to malicious sites. The stored nature of the XSS makes it particularly dangerous, as it persists even if the initial attack vector is removed.
CVE-2025-49354 was publicly disclosed on 2025-12-31. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.1 (HIGH) indicates a significant risk, and it is likely that attackers will begin to develop exploits once they become aware of the vulnerability. Monitor security advisories and threat intelligence feeds for updates.
Websites using the Recent Posts From Each Category plugin, particularly those with user accounts and sensitive data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'recent-posts-from-each-category' /var/www/html/wp-content/plugins/• generic web:
curl -I https://example.com/wp-content/plugins/recent-posts-from-each-category/ | grep -i 'content-security-policy'• wordpress / composer / npm:
wp plugin list --status=inactive | grep recent-posts-from-each-categorydisclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-49354 is to upgrade to a patched version of the Recent Posts From Each Category plugin as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, implement strict Content Security Policy (CSP) headers to restrict the execution of inline scripts and external resources. Additionally, implement CSRF protection mechanisms on all sensitive plugin settings and endpoints. Monitor WordPress logs for suspicious activity, particularly requests originating from unfamiliar IP addresses.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-49354 is a Cross-Site Request Forgery (CSRF) vulnerability in the Mindstien Technologies Recent Posts From Each Category WordPress plugin, allowing for Stored XSS attacks.
You are affected if you are using the Recent Posts From Each Category plugin in versions 0.0.0 through 1.4.
Upgrade to a patched version of the plugin as soon as it's available. Disable the plugin as a temporary workaround.
Active exploitation is not currently confirmed, but the vulnerability warrants careful monitoring.
Check the Mindstien Technologies website and the WordPress plugin repository for updates and advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.