{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-28894", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-03-11T08:09:09.177Z", "datePublished": "2025-03-11T21:00:48.897Z", "dateUpdated": "2026-04-01T15:46:32.733Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "list-posts-by-category", "product": "List of Posts from each Category plugin for WordPress", "vendor": "frucomerci", "versions": [{"lessThanOrEqual": "2.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Abdi Pranata | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:35:52.991Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress list-posts-by-category allows Stored XSS.<p>This issue affects List of Posts from each Category plugin for WordPress: from n/a through <= 2.0.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress list-posts-by-category allows Stored XSS.This issue affects List of Posts from each Category plugin for WordPress: from n/a through <= 2.0."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T15:46:32.733Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/list-posts-by-category/vulnerability/wordpress-list-of-posts-from-each-category-plugin-for-wordpress-plugin-2-0-csrf-to-stored-xss-vulnerability?_s_id=cve"}], "title": "WordPress List of Posts from each Category plugin for WordPress plugin <= 2.0 - CSRF to Stored XSS vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-12T13:44:59.364776Z", "id": "CVE-2025-28894", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T13:51:04.933Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-28894", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-12T13:44:59.364776Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T13:45:01.043Z"}}], "cna": {"title": "WordPress List of Posts from each Category plugin for WordPress plugin <= 2.0 - CSRF to Stored XSS vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Abdi Pranata (Patchstack Alliance)"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "frucomerci", "product": "List of Posts from each Category plugin for WordPress", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "2.0"}], "packageName": "list-posts-by-category", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/list-posts-by-category/vulnerability/wordpress-list-of-posts-from-each-category-plugin-for-wordpress-plugin-2-0-csrf-to-stored-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress allows Stored XSS. This issue affects List of Posts from each Category plugin for WordPress: from n/a through 2.0.", "supportingMedia": [{"type": "text/html", "value": "<p>Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress allows Stored XSS.</p><p>This issue affects List of Posts from each Category plugin for WordPress: from n/a through 2.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2025-03-11T21:00:48.897Z"}}}, "cveMetadata": {"cveId": "CVE-2025-28894", "state": "PUBLISHED", "dateUpdated": "2025-03-12T13:51:04.933Z", "dateReserved": "2025-03-11T08:09:09.177Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-03-11T21:00:48.897Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress list-posts-by-category allows Stored XSS.This issue affects List of Posts from each Category plugin for WordPress: from n/a through <= 2.0."}, {"lang": "es", "value": "La vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento frucomerci List of Posts from each Category para WordPress permite XSS almacenado. Este problema afecta al plugin \"Lista de entradas de cada categor\u00eda\" para WordPress desde la versi\u00f3n n/d hasta la 2.0."}], "id": "CVE-2025-28894", "lastModified": "2026-04-01T17:19:40.533", "metrics": {}, "published": "2025-03-11T21:15:46.723", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/list-posts-by-category/vulnerability/wordpress-list-of-posts-from-each-category-plugin-for-wordpress-plugin-2-0-csrf-to-stored-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{}