Ninja Pages <= 1.4.2 – Admin+ Stored XSS | CVE 2025-1454 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1. Go to the Settings > Ninja Pages.
2. Search for Page Display Options and Enter the payload: "><script>alert("XSS")</script> and select Save Options.
3. After selecting Save Options, XSS is triggered.

Affects Plugins

ninja-page-categories-and-tags

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Manas Talekar

Submitter

Manas Talekar

Verified

Yes

WPVDB ID

0089f813-82fa-4ffc-acd6-a70e67edc8ea

Timeline

Publicly Published

2025-01-08 (about 1 year ago)

Added

2025-02-26 (about 10 months ago)

Last Updated

2025-02-26 (about 10 months ago)

Other

Published

Title

Published

2025-11-18

Title

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers < 1.12.21 - Unauthenticated Stored Cross-Site Scripting

Published

2026-01-05

Title

Woffice < 5.4.31 - Reflected Cross-Site Scripting

Published

2025-05-01

Title

BuddyBoss Platform < 2.8.51 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'bbp_topic_title'

Published

2025-09-10

Title

Digital Events Calendar <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via column Parameter

Published

2014-08-01

Title

Toolpage 1.6.1 - Cross-Site Scripting (XSS)