CVE-2025-60147

Vulnerability

Overview The HT Feed plugin for WordPress (ht-instagram) versions up to 1.3.0 contain a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows attackers to inject arbitrary scripts that are stored on the server and executed when other users access the affected pages.

Exploitation

Requirements Exploitation requires an authenticated user with at least contributor-level privileges to inject the malicious payload [1]. While the vulnerability type is stored XSS, the referenced advisory notes that successful exploitation may require a privileged user to perform an additional action, such as visiting a crafted page [1]. This suggests that the attacker must first inject the script, and then a higher-privileged user (e.g., admin) must trigger its execution through normal site browsing.

Impact

An attacker exploiting this vulnerability can execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, redirection to malicious sites, or defacement of the website [1]. The CVSS v3 base score is 6.5 (Medium), indicating moderate potential damage.

Mitigation

The vulnerability is addressed in version 1.3.1 of the HT Feed plugin. Users are strongly advised to update immediately [1]. For sites that cannot be updated, temporary measures such as restricting user roles or implementing a web application firewall may reduce risk, but updating remains the definitive solution.