CVE-2025-8290

The List Subpages plugin for WordPress, up to version 1.0.6, is vulnerable to Stored Cross-Site Scripting (XSS) through its title parameter. The plugin provides a shortcode generator that accepts user-supplied values for parameters such as title, but fails to properly sanitize input and escape output before storing it. This allows malicious input to be persisted in the database and later rendered unsafely in the browser [1].

An attacker must have at least Contributor-level access to the WordPress site, as the vulnerability is triggered when crafting or updating a shortcode via the plugin's settings page. No additional privileges or network position are required beyond standard authenticated access. The injected script executes whenever a user views a page that contains the crafted shortcode, making it a stored XSS attack [1].

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The impact is limited to users who visit the affected page, but because the payload is stored, it can affect multiple visitors over time [1].

As of the publication date, the vendor has not released a patched version. Users are advised to restrict Contributor-level access to trusted individuals or disable the plugin until an update is available. No workaround is documented, and the vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities catalog [1].