CVE-2025-28905

The Featured Posts Grid plugin for WordPress (versions ≤1.7) contains a Stored Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, which allows attackers to inject malicious scripts that are stored on the server and executed when other users view the affected page [1].

Exploitation of this vulnerability requires a Cross-Site Request Forgery (CSRF) attack vector. A privileged user, such as an administrator, must be tricked into performing an action — for example, clicking a malicious link or submitting a crafted form — while authenticated to the WordPress site. This action triggers the injection of the XSS payload via the plugin's settings or related features [1].

Successful exploitation allows an attacker to force higher-privileged users to execute unintended actions under their own authentication, such as altering plugin settings, modifying posts, or creating new administrative accounts with full control over the WordPress site [1]. The attacker gains the ability to execute arbitrary scripts in the context of the victim's browser, which can lead to data theft, session hijacking, or further site compromise.

As of the publication date (March 11, 2025), a patched version is not specifically noted in the advisory, but immediate action is recommended: update the plugin to the latest available version. If updating is not possible, site owners should contact their hosting provider or a web developer for assistance. The vulnerability affects plugin versions up to and including 1.7, and no workarounds are documented beyond applying the update [1].