CVE-2025-14797
Unknown Unknown - Not Provided
Stored XSS in Same Category Posts WordPress Plugin Widget Title

Publication date: 2026-01-24

Last updated on: 2026-01-24

Assigner: Wordfence

Description
The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of `htmlspecialchars_decode()` on taxonomy term names before output, which decodes HTML entities that WordPress intentionally encodes for safety. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-01-24
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14797
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence same_category_posts to 1.1.19 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Same Category Posts WordPress plugin up to version 1.1.19. It occurs because the plugin uses `htmlspecialchars_decode()` on taxonomy term names before outputting them, which reverses WordPress's intentional HTML entity encoding. This allows authenticated users with Author-level access or higher to inject malicious scripts into widget titles. These scripts then execute whenever any user views the affected page, potentially compromising user security. [1]

Impact Analysis

The vulnerability can allow an attacker with Author-level access or higher to inject arbitrary JavaScript code into widget titles. When other users visit pages containing the injected widget, the malicious scripts execute in their browsers. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions depending on the injected script's intent. [1]

Detection Guidance

This vulnerability can be detected by checking if the WordPress site is running the Same Category Posts plugin version 1.1.19 or earlier, as these versions are vulnerable. You can verify the plugin version via the WordPress admin dashboard or by inspecting the plugin files. Additionally, scanning for widget titles that contain suspicious or unexpected HTML or script tags may indicate exploitation attempts. There are no specific commands provided in the resources, but a general approach is to use WP-CLI to check the plugin version: `wp plugin list --status=active` and look for 'same-category-posts' version 1.1.19 or below. Also, reviewing widget configurations for unusual content may help detect exploitation. [1, 2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Same Category Posts plugin to version 1.1.20 or later, which replaces the unsafe `htmlspecialchars_decode()` function with `wp_kses_post()` to properly sanitize widget titles and prevent stored cross-site scripting attacks. If updating immediately is not possible, restrict Author-level and higher user access until the update can be applied, and review widget titles for malicious scripts. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14797. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart