WordPress Plugin Vulnerabilities

Advanced Post Search <= 1.1.0 - Reflected Cross-Site Scripting

Description

The Advanced Post Search plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
advanced-post-search
No known fix

References

CVE
CVE-2025-30548
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2badc91f-78de-4152-8207-699fc5c86935

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
0xd4rk5id3
Verified
No
WPVDB ID
ef8ee2f0-1d9e-45cc-84bc-95f7ad9fe3e7

Timeline

Publicly Published
2025-03-27 (about 11 months ago)
Added
2025-04-02 (about 11 months ago)
Last Updated
2025-04-02 (about 11 months ago)

Other

Published
Title
Published
2026-01-05
Title
JetEngine < 3.7.8 - Unauthenticated Stored Cross-Site Scripting
Published
2024-12-11
Title
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.127 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-08-01
Title
Responsive Logo Slideshow - URL & Image Field XSS
Published
2025-01-17
Title
Tantyyellow <= 1.0.0.5 - Reflected Cross-Site Scripting
Published
2024-06-22
Title
if-so < 1.8.0.4 - Admin+ Stored XSS