CVE-2025-10168
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-10-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mucasoft | any_news_ticker | 3.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Any News Ticker WordPress plugin is a Stored Cross-Site Scripting (XSS) issue. It occurs because the plugin does not properly sanitize or escape user-supplied attributes in its 'any-ticker' shortcode. This allows authenticated users with contributor-level access or higher to inject malicious scripts into pages. These scripts then execute whenever any user views the affected page, potentially compromising site security. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers with contributor-level access to inject arbitrary JavaScript into your website's pages. As a result, malicious scripts could execute in the browsers of visitors or administrators viewing those pages. This can lead to theft of user credentials, session hijacking, defacement, or distribution of malware, thereby compromising the security and integrity of your website and its users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying WordPress sites using the Any News Ticker plugin version 3.1.1 or earlier and checking for the presence of the 'any-ticker' shortcode in posts or pages. Since the vulnerability involves stored Cross-Site Scripting via shortcode attributes, inspecting the content of posts/pages for suspicious or malicious scripts injected through the shortcode is necessary. There are no specific commands provided in the resources, but you can use WordPress CLI commands to search for the shortcode usage, for example: `wp post list --post_type=post --format=ids | xargs -I % wp post get % --field=post_content | grep '\[any-ticker'` to find posts containing the shortcode. Additionally, monitoring HTTP responses for unexpected script injections in pages containing the ticker could help detect exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or removing the Any News Ticker plugin from your WordPress installation, especially if it is version 3.1.1 or earlier. Since the plugin was closed and temporarily unavailable for download pending review, avoid using it until a secure version is released. Additionally, restrict contributor-level access and above to trusted users only, as the vulnerability requires authenticated users with such privileges to exploit. Review and sanitize any existing content using the 'any-ticker' shortcode to remove potentially malicious scripts. [2]