WordPress Plugin Vulnerabilities

Astra Widgets < 1.2.17 - Authenticated (Editor+) Stored Cross-Site Scripting

Description

The Astra Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
astra-widgets
Fixed in 1.2.17

References

CVE
CVE-2025-68497
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b28634d1-6489-4ac2-9d64-2b7409fd462e

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
benzdeus
Verified
No
WPVDB ID
a2e1a070-421d-444a-aed7-3a531e845bdf

Timeline

Publicly Published
2025-12-28 (about 4 months ago)
Added
2026-01-05 (about 4 months ago)
Last Updated
2026-01-05 (about 4 months ago)

Other

Published
Title
Published
2014-04-25
Title
WP e-Commerce Swipe <= 3.1.0 - Multiple XSS Issues
Published
2023-05-30
Title
Chilexpress Woo Oficial <= 1.2.9 - Reflected XSS
Published
2025-05-19
Title
Newsletter < 8.8.5 - Admin+ Stored XSS via Widget
Published
2025-11-26
Title
SortTable Post <= 4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2026-03-03
Title
All-in-One Video Gallery < 4.7.5 - Reflected Cross-Site Scripting via 'vi' Parameter