WordPress Plugin Vulnerabilities

Same Category Posts < 1.1.20 - Authenticated (Author+) Stored Cross-Site Scripting via Widget Title Placeholder

Description

The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of `htmlspecialchars_decode()` on taxonomy term names before output, which decodes HTML entities that WordPress intentionally encodes for safety. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
same-category-posts
Fixed in 1.1.20

References

CVE
CVE-2025-14797
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/70434876-4876-4da8-9af1-6f6ef5632f26

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
7a67c669-3a8a-4ed5-9a51-7885fca1bfc3

Timeline

Publicly Published
2026-01-23 (about 4 months ago)
Added
2026-01-23 (about 4 months ago)
Last Updated
2026-01-24 (about 4 months ago)

Other

Published
Title
Published
2025-04-01
Title
Nemesis All-in-One <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-04
Title
Gutenify < 1.5.8 - Contributor+ Stored XSS
Published
2025-05-28
Title
tarteaucitron.io < 1.9.5 - Contributor+ Stored XSS
Published
2025-11-14
Title
SKT Skill Bar < 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-04-25
Title
WP eBay Product Feeds < 1.2 - Cross-Site Scripting via rss_url Parameter