Vulnerabilities and security researches forcc-child-pages cc-child-pages

Jun 07, 2024

CVE, Research URL: CVE-2022-4776
Home page URL: Security reports for CC Child Pages
Application: CC Child Pages
Date: Jan 31, 2023
Research Description: The CC Child Pages WordPress plugin before 1.43 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
Affected versions: max 1.43.
Status: vulnerable

Jan 10, 2026

CVE, Research URL: CVE-2025-13608
Home page URL: Security reports for CC Child Pages
Application: CC Child Pages
Date: Dec 15, 2025
Research Description: The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'child_pages' shortcode in all versions up to, and including, 2.0.0. This is due to insufficient input sanitization and output escaping on four user-supplied attributes (use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt) in the 'show_child_pages' function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.0.1.
Status: vulnerable