Description
The WZ Followed Posts – Display what visitors are reading plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wfp' shortcode in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-07
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting
Action: Update Plugin
AI Analysis

Impact

The WZ Followed Posts – Display what visitors are reading plugin for WordPress contains an insufficient sanitization flaw that allows attackers who possess contributor or higher access to store malicious JavaScript in a page through the plugin's 'wfp' shortcode. When another user views that page, the injected code is executed within the victim's browser, potentially stealing session cookies, defacing content or performing other credential‑seizing actions. The flaw is a classic example of CWE‑79 Cross‑Site Scripting.

Affected Systems

All releases of the WordPress plugin WZ Followed Posts – Display what visitors are reading up to and including version 3.1.0 are affected. The vulnerability resides in the plugin code and is not limited to a specific WordPress theme or configuration.

Risk and Exploitability

The CVSS score of 6.4 labels the flaw as moderate, and the EPSS score of < 1% indicates a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated Contributor+ access, which is typically available to users who can add or edit content. Once the attacker injects the malicious shortcode, the script will execute for every user who loads the affected page, and the attack remains persistent until the content is removed or the plugin is updated.

Generated by OpenCVE AI on April 22, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WZ Followed Posts – Display what visitors are reading plugin to a version newer than 3.1.0, which removes the vulnerable shortcode handling.
  • If an update is not immediately possible, locate and remove any 'wfp' shortcode instances that include attacker-supplied attributes from all pages, posts, or widgets; alternatively replace attribute values with harmless placeholders.
  • Implement a strict Content Security Policy that blocks inline scripts or restricts script sources to trusted domains, thereby limiting the impact of any residual XSS content.

Generated by OpenCVE AI on April 22, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13667 The WZ Followed Posts – Display what visitors are reading plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wfp' shortcode in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00037}

 epss

{'score': 0.00043}

Wed, 07 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 07:30:00 +0000

Type Values Removed Values Added
Description The WZ Followed Posts – Display what visitors are reading plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wfp' shortcode in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WZ Followed Posts – Display what visitors are reading <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:38.536Z

Reserved: 2025-05-01T12:20:07.720Z

Link: CVE-2025-4171

cve-icon Vulnrichment

Updated: 2025-05-07T13:45:28.194Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T08:15:15.890

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4171

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:30:22Z

Weaknesses