Nested Pages is a popular WordPress plugin designed to help website administrators organize their pages and posts hierarchically. This plugin allows for easy drag-and-drop management of WordPress pages and custom post types, making it a valuable tool for many site owners. However, a severe vulnerability (CVE-2025-0718) has been identified in the plugin, which allows attackers to inject malicious JavaScript into the title field of posts or pages. This vulnerability, a Stored Cross-Site Scripting (XSS) flaw, can be exploited by attackers with editor privileges to potentially escalate their access to an admin account, providing full control over the WordPress site. The vulnerability affects installations with over 100k active users, making it a widespread risk.
CVE | CVE-2025-0718 |
Plugin | Nested Pages |
Critical | High |
All Time | 2 135 444 |
Active installations | 100 000+ |
Publicly Published | March 11, 2025 |
Last Updated | March 11, 2025 |
Researcher | Dmitrii Ignatyev |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0718 https://wpscan.com/vulnerability/69ddd8eb-33f1-49cf-9428-3d89262b1887/ |
Plugin Security Certification by CleanTalk | ![]() |
Logo of the plugin | ![]() |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
January 6, 2025 | Plugin testing and vulnerability detection in the Nested Pages have been completed |
January 6, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
March 11, 2025 | Registered CVE-2025-0718 |
Discovery of the Vulnerability
CVE-2025-0718 was discovered during a routine security review of the Nested Pages plugin. The vulnerability lies in the “title” field of posts and pages. The plugin does not properly sanitize or escape user input in this field, allowing attackers to inject JavaScript payloads. Specifically, an attacker can create a post with a title such as <img src onerror=alert(1)>
. This script is stored in the database and later executed when users interact with the affected page. The flaw is triggered when users attempt to add a link to the post using the “Add link” button in the plugin’s interface. By selecting the post containing the malicious script, the JavaScript code is executed, leading to potential account takeover.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common vulnerabilities found in web applications, including WordPress plugins. XSS vulnerabilities allow attackers to inject malicious scripts into web pages, which are then executed by the browser of users who visit the page. In WordPress, XSS vulnerabilities are typically found in plugins that fail to properly sanitize user input, allowing malicious users to inject harmful code that is later executed in the context of other users’ browsers. A similar vulnerability was found in the WPForms plugin (CVE-2020-2559), where attackers could inject malicious scripts into form fields. In CVE-2025-0718, the vulnerability in Nested Pages enables XSS through the post title field, potentially leading to account takeover when the injected script is executed.
Exploiting the XSS Vulnerability
To exploit CVE-2025-0718, an attacker with Contributor+ privileges:
POC:
1) Create a new Post or Page with title "&lt;img src onerror=alert(1)&gt" 2) To trigger XSS you should try to create a new post by "Add link" button. 3) Select Post that you created before
____
The risks associated with CVE-2025-0718 are considerable, especially for websites that rely on Nested Pages to manage large amounts of content. If an attacker exploits this vulnerability, they can potentially escalate their privileges, compromising the security of the entire site. Once an attacker gains control over an admin account, they can perform any action on the website, including installing malicious plugins, modifying or deleting content, stealing sensitive user information, or defacing the site. This vulnerability is particularly dangerous for e-commerce websites, membership platforms, and other sites that handle sensitive data. In a real-world scenario, an attacker could use this XSS vulnerability to create a backdoor admin account, which could allow them to bypass authentication mechanisms and maintain persistent access to the site.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2025-0718, administrators should immediately update the Nested Pages plugin to the latest version as soon as a patch is available. In the meantime, administrators should restrict editor and lower-level user capabilities to prevent them from injecting potentially malicious content into post titles. Developers should ensure that all input fields in WordPress plugins, especially those that appear on the frontend, are properly sanitized and validated. The use of functions like sanitize_text_field()
and wp_kses()
can help prevent XSS attacks by filtering out unsafe characters and tags. Additionally, administrators should consider implementing Content Security Policies (CSP) to restrict the execution of unauthorized scripts, as well as regularly reviewing and auditing their WordPress plugins for vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-0718, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.