Threat Entry Updated 2025-05-07

CVE-2025-1453 - Category Posts Widget Plugin

The Category Posts Widget WordPress plugin before 4.9.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Category Posts Widget

CVE-2025-1453

MEDIUM CVSS 4.8 2025-04-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-14

CVE-2024-9638 - Category Posts Widget Plugin

The Category Posts Widget WordPress plugin before 4.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Category Posts Widget

CVE-2024-9638

MEDIUM CVSS 4.8 2025-01-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-27

CVE-2024-6158 - Category Posts Widget Plugin

The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Posts" widget settings before outputting them back in a page/post where the Widget is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Category Posts Widget

CVE-2024-6158

MEDIUM CVSS 4.8 2024-08-12

Risk Score

Open Full Technical Breakdown