CVE-2025-14313
Description
The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Advance WP Query Search Filter plugin through 1.0.10 allows high-privilege users like admin to be attacked via unsanitized parameter.
The Advance WP Query Search Filter WordPress plugin versions through 1.0.10 suffer from a Reflected Cross-Site Scripting (XSS) vulnerability. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling an attacker to inject malicious scripts [1].
To exploit the vulnerability, an attacker crafts a URL containing the malicious payload in the unsanitized parameter. The victim, typically a high-privilege user such as an administrator, must be tricked into clicking the link. No authentication is required on the attacker's part, and the attack is reflected off the server immediately [1].
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, privilege escalation, or full site compromise, particularly if an administrator is targeted [1].
As of the advisory, no fix is available. Users are advised to disable or remove the plugin until a patched version is released.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.0.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.