Nested Pages is a popular WordPress plugin designed to help website administrators organize their pages and posts hierarchically. This plugin allows for easy drag-and-drop management of WordPress pages and custom post types, making it a valuable tool for many site owners. However, a severe vulnerability (CVE-2025-0718) has been identified in the plugin, which allows attackers to inject malicious JavaScript into the title field of posts or pages. This vulnerability, a Stored Cross-Site Scripting (XSS) flaw, can be exploited by attackers with editor privileges to potentially escalate their access to an admin account, providing full control over the WordPress site. The vulnerability affects installations with over 100k active users, making it a widespread risk.

CVECVE-2025-0718
PluginNested Pages
CriticalHigh
All Time2 135 444
Active installations100 000+
Publicly PublishedMarch 11, 2025
Last UpdatedMarch 11, 2025
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0718
https://wpscan.com/vulnerability/69ddd8eb-33f1-49cf-9428-3d89262b1887/
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

PSC by Cleantalk

Timeline

January 6, 2025Plugin testing and vulnerability detection in the Nested Pages have been completed
January 6, 2025I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
March 11, 2025Registered CVE-2025-0718

Discovery of the Vulnerability

CVE-2025-0718 was discovered during a routine security review of the Nested Pages plugin. The vulnerability lies in the “title” field of posts and pages. The plugin does not properly sanitize or escape user input in this field, allowing attackers to inject JavaScript payloads. Specifically, an attacker can create a post with a title such as <img src onerror=alert(1)>. This script is stored in the database and later executed when users interact with the affected page. The flaw is triggered when users attempt to add a link to the post using the “Add link” button in the plugin’s interface. By selecting the post containing the malicious script, the JavaScript code is executed, leading to potential account takeover.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) is one of the most common vulnerabilities found in web applications, including WordPress plugins. XSS vulnerabilities allow attackers to inject malicious scripts into web pages, which are then executed by the browser of users who visit the page. In WordPress, XSS vulnerabilities are typically found in plugins that fail to properly sanitize user input, allowing malicious users to inject harmful code that is later executed in the context of other users’ browsers. A similar vulnerability was found in the WPForms plugin (CVE-2020-2559), where attackers could inject malicious scripts into form fields. In CVE-2025-0718, the vulnerability in Nested Pages enables XSS through the post title field, potentially leading to account takeover when the injected script is executed.

Exploiting the XSS Vulnerability

To exploit CVE-2025-0718, an attacker with Contributor+ privileges:

POC:

1) Create a new Post or Page with title "&amp;lt;img src onerror=alert(1)&amp;gt"
2) To trigger XSS you should try to create a new post by "Add link" button.
3) Select Post that you created before

____

The risks associated with CVE-2025-0718 are considerable, especially for websites that rely on Nested Pages to manage large amounts of content. If an attacker exploits this vulnerability, they can potentially escalate their privileges, compromising the security of the entire site. Once an attacker gains control over an admin account, they can perform any action on the website, including installing malicious plugins, modifying or deleting content, stealing sensitive user information, or defacing the site. This vulnerability is particularly dangerous for e-commerce websites, membership platforms, and other sites that handle sensitive data. In a real-world scenario, an attacker could use this XSS vulnerability to create a backdoor admin account, which could allow them to bypass authentication mechanisms and maintain persistent access to the site.

Recommendations for Improved Security

To mitigate the risks posed by CVE-2025-0718, administrators should immediately update the Nested Pages plugin to the latest version as soon as a patch is available. In the meantime, administrators should restrict editor and lower-level user capabilities to prevent them from injecting potentially malicious content into post titles. Developers should ensure that all input fields in WordPress plugins, especially those that appear on the frontend, are properly sanitized and validated. The use of functions like sanitize_text_field() and wp_kses() can help prevent XSS attacks by filtering out unsafe characters and tags. Additionally, administrators should consider implementing Content Security Policies (CSP) to restrict the execution of unauthorized scripts, as well as regularly reviewing and auditing their WordPress plugins for vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-0718, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.
CVE-2025-0718 – Nested Pages – Stored XSS to Admin Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *