CVE-2025-13608 - Vulnerability Details

- CC Child Pages <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'child_pages' Shortcode

Description

The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'child_pages' shortcode in all versions up to, and including, 2.0.0. This is due to insufficient input sanitization and output escaping on four user-supplied attributes (use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt) in the 'show_child_pages' function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-12-15

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The CC Child Pages WordPress plugin is vulnerable to stored cross‑site scripting. The 'child_pages' shortcode accepts four user‑supplied attributes—use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt—that are not properly sanitized or escaped, resulting in a CWE‑79 vulnerability. An attacker can inject arbitrary JavaScript into a page that will execute whenever a user visits that page.

Affected Systems

This flaw targets Caterham Computing’s CC Child Pages plugin for WordPress. All versions up to and including 2.0.0 are affected; the vulnerability is present in every release up to that point.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate risk level, while the EPSS score of less than 1% shows exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authentication with contributor level or higher access, the threat is confined to users who can edit content using the 'child_pages' shortcode.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

caterhamcomputing

CC Child Pages

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.0.0

No data.

Vendor	Product	Confidence	Versions
Caterhamcomputing	Cc Child Pages	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the CC Child Pages plugin to the latest version that fixes the XSS issue if an updated release is available.
Restrict contributor permissions or downgrade users who have editing rights with the 'child_pages' shortcode to a role that cannot modify such content.
Exclude or disable the 'child_pages' shortcode on pages that do not require contributor editing or that are publicly accessible.
Review existing pages for embedded script tags or malicious code added via the shortcode and remove any that appear harmful.

Generated by OpenCVE AI on April 28, 2026 at 10:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3403877/cc-child-pages
https://www.wordfence.com/threat-intel/vulnerabilities/id/139009b5-69d4-44ca-820c-766645828e5e?source=cve

History

Mon, 15 Dec 2025 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Caterhamcomputing Caterhamcomputing cc Child Pages Wordpress Wordpress wordpress
Vendors & Products		Caterhamcomputing Caterhamcomputing cc Child Pages Wordpress Wordpress wordpress

Mon, 15 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 15 Dec 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description		The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'child_pages' shortcode in all versions up to, and including, 2.0.0. This is due to insufficient input sanitization and output escaping on four user-supplied attributes (use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt) in the 'show_child_pages' function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		CC Child Pages <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'child_pages' Shortcode
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/changeset/3403877/cc-child-pages https://www.wordfence.com/threat-intel/vulnerabilities/id/139009b5-69d4-44ca-820c-766645828e5e?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Caterhamcomputing Cc Child Pages

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-15T14:25:08.567Z

Updated: 2026-04-08T16:36:39.639Z

Reserved: 2025-11-24T15:08:09.981Z

Link: CVE-2025-13608

Vulnrichment

Updated: 2025-12-15T15:42:37.347Z

NVD

Status : Deferred

Published: 2025-12-15T15:15:48.340

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13608

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T10:30:29Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object