cleantalk
Vulnerabilities and Security Researches

List Children, CVE-2025-4099

CVE, Research URL

CVE-2025-4099

Home page URL

Security reports for List Children

Application

List Children

Published on
May 01, 2025
Research Description
The List Children plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'list_children' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 2.2.0.
Status
vulnerable
Previous vulnerability researches
SEUR Oficial (CVE-2025-46474) , May 05, 2025
SEUR Oficial (CVE-2021-25005) , Jun 07, 2024
SEUR Oficial (CVE-2021-25004) , Jun 07, 2024
SEUR Oficial (CVE-2024-9201) , Oct 20, 2024
SEUR Oficial (CVE-2024-9438) , Oct 30, 2024
New vulnerability
Absolute Links (CVE-2025-43833) , May 05, 2025
List Children (CVE-2025-4099) , May 05, 2025
Libro de Reclamaciones (CVE-2025-46446) , May 05, 2025
Enhanced Paypal Shortcodes (CVE-2025-46543) , May 05, 2025
My Custom Widgets (CVE-2025-46526) , May 05, 2025