CVE-2025-6757
Description
The Recent Posts Widget Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rpwe' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Recent Posts Widget Extended plugin for WordPress via insufficient sanitization in the 'rpwe' shortcode, affecting versions up to 2.0.2.
Vulnerability
Overview The Recent Posts Widget Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 2.0.2. The vulnerability resides in the plugin's 'rpwe' shortcode, where user-supplied attributes are not properly sanitized or escaped before being output. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts [1].
Exploitation
Conditions To exploit this vulnerability, an attacker must have at least contributor-level access to a WordPress site. The attacker can use the 'rpwe' shortcode with crafted attributes containing malicious JavaScript. The injected script is stored in the page or post content and will execute when any user, including administrators, views the affected page. No additional privileges or network position is required beyond the contributor account [1].
Impact
Successful exploitation enables the attacker to inject arbitrary web scripts that execute in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information. The vulnerability is classified as Medium severity with a CVSS v3 score of 6.4 [1].
Mitigation
The plugin has been closed as of September 4, 2025, due to this security issue and is no longer available for download from the WordPress plugin repository. Users are advised to remove the plugin and replace it with an alternative solution. No patch is available [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/recent-posts-widget-extended/tags/2.0.2/includes/functions.phpnvd
- plugins.trac.wordpress.org/browser/recent-posts-widget-extended/tags/2.0.2/includes/shortcode.phpnvd
- wordpress.org/plugins/recent-posts-widget-extended/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/3b70f48f-76a6-459c-8108-3ca008471534nvd
News mentions
0No linked articles in our index yet.