Scan free
HIGHCVE-2025-49354CVSS 7.1

CVE-2025-49354: CSRF in Recent Posts From Each Category

Platform

wordpress

Component

recent-posts-from-each-category

Fixed in

1.4.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-49354 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Mindstien Technologies Recent Posts From Each Category WordPress plugin. This vulnerability can be exploited to trigger Stored XSS attacks, potentially allowing attackers to inject malicious scripts into the plugin's data. The vulnerability affects versions from 0.0.0 through 1.4, and a fix is expected in a future release.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The CSRF vulnerability in Recent Posts From Each Category allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation can lead to Stored Cross-Site Scripting (XSS). This means an attacker can inject malicious JavaScript code that is stored on the server and executed when other users view affected pages. The impact of this XSS can range from session hijacking and defacement of the website to the theft of sensitive user data, including cookies and authentication tokens. The attacker could potentially gain control of user accounts or even the entire WordPress site depending on the privileges of the affected user.

Exploitation Context

CVE-2025-49354 was publicly disclosed on 2025-12-31. There are currently no known public proof-of-concept exploits available. The vulnerability's severity is rated as HIGH (CVSS 7.1). It is not currently listed on the CISA KEV catalog. Active campaigns targeting this specific vulnerability are not yet confirmed, but the presence of a CSRF leading to Stored XSS warrants careful monitoring.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (5% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L7.1HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentrecent-posts-from-each-category
Vendorwordfence
Affected rangeFixed in
0 – 1.41.4.1

Package Information

Active installs
50
Plugin rating
3.7
Requires WordPress
3.0+
Compatible up to
4.0.38
Homepage

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 144 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-49354 is to upgrade to a patched version of the Recent Posts From Each Category plugin as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, implement strict Content Security Policy (CSP) headers to limit the execution of inline scripts and external resources. Additionally, enforce strong user authentication and regularly audit user permissions to minimize the potential impact of a successful attack. Monitor web application firewalls (WAFs) for suspicious CSRF requests targeting the plugin's endpoints.

How to fix

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-49354 — CSRF in Recent Posts From Each Category?

CVE-2025-49354 is a Cross-Site Request Forgery (CSRF) vulnerability in the Mindstien Technologies Recent Posts From Each Category WordPress plugin, allowing for Stored XSS attacks.

Am I affected by CVE-2025-49354 in Recent Posts From Each Category?

You are affected if you are using the Recent Posts From Each Category plugin in versions 0.0.0 through 1.4.

How do I fix CVE-2025-49354 in Recent Posts From Each Category?

Upgrade to a patched version of the plugin as soon as it's available. Disable the plugin as a temporary workaround.

Is CVE-2025-49354 being actively exploited?

Active exploitation is not currently confirmed, but the vulnerability warrants careful monitoring.

Where can I find the official Recent Posts From Each Category advisory for CVE-2025-49354?

Check the Mindstien Technologies website and the WordPress plugin repository for updates and advisories.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs