Description
Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress list-posts-by-category allows Stored XSS.This issue affects List of Posts from each Category plugin for WordPress: from n/a through <= 2.0.
Published: 2025-03-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery flaw allows an attacker who tricks a logged‑in administrator to send a specially crafted request that stores malicious JavaScript in the plugin’s data. Because the stored code is rendered as part of the post listing, clicking a link or loading a page in the victim’s browser injects the attacker’s script, enabling session hijacking, defacement or other malicious actions. The weakness is identified as CWE‑352.

Affected Systems

The vulnerability affects the WordPress plugin "List of Posts from each Category" by frucomerci. Versions from any unknown earlier release through version 2.0 are affected. Site owners running these plugin versions are exposed to the described CSRF‑to‑stored XSS vector.

Risk and Exploitability

The CVSS score of 7.1 indicates a high-impact vulnerability with automatic exploitation potential via CSRF. The EPSS score of < 1% shows a very low current likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to convince a logged‑in user to access a malicious link—a low-cost attack with no need for privileged access or direct interaction with the affected plugin beyond the normal user role.

Generated by OpenCVE AI on May 1, 2026 at 14:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update "List of Posts from each Category" to the latest available release or apply the vendor’s official fix once released.
  • If an update cannot be performed immediately, disable or remove the plugin from all sites to eliminate the stored‑XSS vector.
  • Implement CSRF protection for all plugin actions, for example by adding and validating nonces on client‑side requests and server‑side processing.

Generated by OpenCVE AI on May 1, 2026 at 14:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7853 Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress allows Stored XSS. This issue affects List of Posts from each Category plugin for WordPress: from n/a through 2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress allows Stored XSS. This issue affects List of Posts from each Category plugin for WordPress: from n/a through 2.0. Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress list-posts-by-category allows Stored XSS.This issue affects List of Posts from each Category plugin for WordPress: from n/a through <= 2.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0002}

 epss

{'score': 0.00031}

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress allows Stored XSS. This issue affects List of Posts from each Category plugin for WordPress: from n/a through 2.0.
Title WordPress List of Posts from each Category plugin for WordPress plugin <= 2.0 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:50.179Z

Reserved: 2025-03-11T08:09:09.177Z

Link: CVE-2025-28894

cve-icon Vulnrichment

Updated: 2025-03-12T13:45:01.043Z

cve-icon NVD

Status : Deferred

Published: 2025-03-11T21:15:46.723

Modified: 2026-06-17T09:04:50.360

Link: CVE-2025-28894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:15:20Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)