Description
The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of `htmlspecialchars_decode()` on taxonomy term names before output, which decodes HTML entities that WordPress intentionally encodes for safety. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Update
AI Analysis

Impact

The Same Category Posts plugin allows authenticated users with Author or higher privileges to inject arbitrary scripts by exploiting the widget title placeholder; the plugin decodes encoded HTML entities, enabling stored XSS in pages viewed by other visitors, potentially allowing cookie theft, session hijacking, or site defacement.

Affected Systems

The vulnerability affects the kometschuh Same Category Posts plugin for WordPress in all releases up to and including 1.1.19; users running these versions should update as soon as possible.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate risk, and the EPSS score of less than 1% shows a very low exploitation probability; the issue is not listed in CISA KEV. Attackers need only Author‑level or higher permissions to create a malicious widget title, and the injected script runs when any site visitor loads a page containing the widget.

Generated by OpenCVE AI on April 21, 2026 at 16:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Same Category Posts plugin to version 1.1.20 or later.
  • If upgrading is not immediately possible, remove or delete the widget containing the vulnerable title placeholder.
  • Configure site‑wide input sanitization or employ a security plugin to block XSS patterns in widget titles.

Generated by OpenCVE AI on April 21, 2026 at 16:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of `htmlspecialchars_decode()` on taxonomy term names before output, which decodes HTML entities that WordPress intentionally encodes for safety. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Same Category Posts <= 1.1.19 - Authenticated (Author+) Stored Cross-Site Scripting via Widget Title Placeholder
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:19.867Z

Reserved: 2025-12-16T19:24:21.703Z

Link: CVE-2025-14797

cve-icon Vulnrichment

Updated: 2026-01-26T18:20:09.284Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T08:16:05.900

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:15:40Z

Weaknesses