Platform
wordpress
Component
recent-posts-from-each-category
Fixed in
1.4.1
CVE-2025-49354 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Mindstien Technologies Recent Posts From Each Category WordPress plugin. This vulnerability can be exploited to trigger Stored XSS attacks, potentially allowing attackers to inject malicious scripts into the plugin's data. The vulnerability affects versions from 0.0.0 through 1.4, and a fix is expected in a future release.
The CSRF vulnerability in Recent Posts From Each Category allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation can lead to Stored Cross-Site Scripting (XSS). This means an attacker can inject malicious JavaScript code that is stored on the server and executed when other users view affected pages. The impact of this XSS can range from session hijacking and defacement of the website to the theft of sensitive user data, including cookies and authentication tokens. The attacker could potentially gain control of user accounts or even the entire WordPress site depending on the privileges of the affected user.
CVE-2025-49354 was publicly disclosed on 2025-12-31. There are currently no known public proof-of-concept exploits available. The vulnerability's severity is rated as HIGH (CVSS 7.1). It is not currently listed on the CISA KEV catalog. Active campaigns targeting this specific vulnerability are not yet confirmed, but the presence of a CSRF leading to Stored XSS warrants careful monitoring.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49354 is to upgrade to a patched version of the Recent Posts From Each Category plugin as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, implement strict Content Security Policy (CSP) headers to limit the execution of inline scripts and external resources. Additionally, enforce strong user authentication and regularly audit user permissions to minimize the potential impact of a successful attack. Monitor web application firewalls (WAFs) for suspicious CSRF requests targeting the plugin's endpoints.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49354 is a Cross-Site Request Forgery (CSRF) vulnerability in the Mindstien Technologies Recent Posts From Each Category WordPress plugin, allowing for Stored XSS attacks.
You are affected if you are using the Recent Posts From Each Category plugin in versions 0.0.0 through 1.4.
Upgrade to a patched version of the plugin as soon as it's available. Disable the plugin as a temporary workaround.
Active exploitation is not currently confirmed, but the vulnerability warrants careful monitoring.
Check the Mindstien Technologies website and the WordPress plugin repository for updates and advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.