CVE-2025-14312

The Advance WP Query Search Filter plugin for WordPress, versions up to 1.0.10, fails to sanitize and escape a parameter before including it in the page output. This flaw results in a reflected cross-site scripting (XSS) vulnerability [1]. The root cause lies in insufficient input validation on a specific parameter, likely the counter parameter as indicated in the advisory, which is directly echoed back to the user without proper encoding [1].

To exploit this vulnerability, an attacker must craft a malicious URL containing a payload in the unsanitized parameter. The lack of authentication requirements for the vulnerable endpoint means that simply tricking a logged-in administrator into clicking the crafted link can trigger the XSS. The attacker does not need any prior access to the WordPress site, making the attack surface accessible via social engineering or link injection [1].

The primary impact is the execution of arbitrary JavaScript in the context of the victim's browser session. Because the vulnerability can be used against high-privilege users such as administrators, an attacker could potentially perform actions with admin-level privileges, such as creating new administrative accounts, modifying plugin settings, or injecting malicious content across the site. This aligns with the CVSS v3 score of 6.1, which reflects the medium severity due to the requirement for user interaction and the potential for impactful outcomes [1].

At the time of the advisory (published 2025-12-30), no official fix was available for versions through 1.0.10 [1]. Users are advised to disable the plugin until a patched version is released. Given that the vulnerability is publicly known and detailed by the original researcher Yevgen Goncharuk, site administrators should consider this a priority for mitigation, potentially implementing a web application firewall rule to block malicious query strings targeting the vulnerable parameter [1].