cleantalk
Vulnerabilities and Security Researches

CC Child Pages, CVE-2025-13608

CVE, Research URL

CVE-2025-13608

Home page URL

Security reports for CC Child Pages

Application

CC Child Pages

Published on
Dec 15, 2025
Research Description
The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'child_pages' shortcode in all versions up to, and including, 2.0.0. This is due to insufficient input sanitization and output escaping on four user-supplied attributes (use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt) in the 'show_child_pages' function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.0.1.
Status
vulnerable
Previous vulnerability researches
WC Fields Factory (CVE-2023-0277) , Jun 07, 2024
WC Fields Factory (6cc027737736ffa5a4ad7d18f7aacab3368b4dae) , Jun 07, 2024
New vulnerability
Download Plugins and Themes from Dashboard (CVE-2025-14399) , Jan 10, 2026
Heateor Social Login WordPress (CVE-2025-68998) , Jan 10, 2026
AnnunciFunebri Impresa (CVE-2025-14447) , Jan 10, 2026
Serial Codes Generator and Validator with WooCommerce Support (CVE-2025-62091) , Jan 10, 2026
Effect Maker (CVE-2025-68867) , Jan 10, 2026