CVE-2025-14313
Unknown Unknown - Not Provided
Reflected XSS in Advance WP Query Filter Plugin Risks Admins

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: WPScan

Description
The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14313
EUVD
EUVD-2025-205689
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
advance wp_query_search_filter 1.0.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Advance WP Query Search Filter WordPress plugin up to version 1.0.10 does not properly sanitize and escape a parameter before displaying it on the page. This flaw allows an attacker to perform a Reflected Cross-Site Scripting (XSS) attack, where malicious scripts can be injected and executed in the context of the affected website.

Impact Analysis

This vulnerability can be exploited to execute malicious scripts in the browser of high privilege users such as administrators. This could lead to unauthorized actions, theft of sensitive information, session hijacking, or other malicious activities performed with the privileges of the affected user.

Detection Guidance

This vulnerability can be detected by sending a crafted POST request to the admin-ajax.php endpoint targeting the 'taxo_ajax' action with a malicious 'excl' parameter containing a script payload. For example, using curl: curl -X POST -d 'action=taxo_ajax&excl=<script>alert(1)</script>' https://yourwordpresssite.com/wp-admin/admin-ajax.php and observing if the script executes or is reflected in the response. Detection involves checking if the 'excl' parameter is not properly sanitized and reflected back, indicating the presence of the reflected XSS vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable plugin's functionality to trusted users only, such as limiting admin-ajax.php access via firewall or security plugins, and avoiding use of the vulnerable plugin version (≀ 1.0.10) until a fix is available. Additionally, monitoring and blocking suspicious POST requests targeting the 'taxo_ajax' action with the 'excl' parameter can help reduce exploitation risk. Since no fix is currently available, consider disabling or removing the Advance WP Query Search Filter plugin until patched. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14313. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart