WP-Safety
CVE-2025-68843

FeedWordPress Advanced Filters <= 0.6.2 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The FeedWordPress Advanced Filters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 0.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.6.2
PublishedJanuary 27, 2026
Last updatedFebruary 2, 2026
Affected pluginfaf
Research Plan
Unverified

This plan outlines the research and exploitation process for **CVE-2025-68843**, a Reflected Cross-Site Scripting (XSS) vulnerability in the **FeedWordPress Advanced Filters** plugin. ### 1. Vulnerability Summary The FeedWordPress Advanced Filters plugin (up to v0.6.2) fails to properly sanitize an…

Show full research plan

This plan outlines the research and exploitation process for CVE-2025-68843, a Reflected Cross-Site Scripting (XSS) vulnerability in the FeedWordPress Advanced Filters plugin.

1. Vulnerability Summary

The FeedWordPress Advanced Filters plugin (up to v0.6.2) fails to properly sanitize and escape user-controlled input before reflecting it back in the HTML response. This vulnerability typically occurs when the plugin displays filter settings, search results, or status messages based on URL parameters ($_GET or $_REQUEST) without using WordPress escaping functions like esc_html() or esc_attr().

2. Attack Vector Analysis

  • Endpoint: Likely a frontend page where syndicated feeds are displayed or a specific plugin-generated view.
  • Vulnerable Parameter: (Inferred) Likely a parameter used for filtering or searching feeds, such as faf_filter, faf_id, or s.
  • Authentication: Unauthenticated. The vulnerability is accessible to any user who clicks a malicious link.
  • Preconditions: The plugin must be active. If the reflection happens on the frontend, a page must exist that utilizes the plugin's filtering logic.

3. Code Flow (Inferred)

  1. Entry Point: The user sends a GET request to the WordPress site with a malicious payload in a specific parameter (e.g., ?faf_filter=<script>alert(1)</script>).
  2. Processing: The plugin's code (likely hooked into init, template_redirect, or a shortcode callback) retrieves the parameter using $_GET['faf_filter'].
  3. Sink: The raw value is passed directly to an echo, print, or printf statement within a template or an admin notice that renders on the frontend.
    • Example Vulnerable Code: echo "<div>Current filter: " . $_GET['faf_filter'] . "</div>";

4. Nonce Acquisition Strategy

Reflected XSS in GET parameters generally does not require a nonce, as it is an injection into a read-only display logic rather than a state-changing operation (like an AJAX action).

However, if the reflection occurs within a wp_ajax_nopriv handler that does check nonces:

  1. Identify Variable: Search the plugin source for wp_localize_script. Look for a localization key like faf_vars or faf_settings.
  2. Create Page: Create a page containing a FeedWordPress filter or the FeedWordPress shortcode: wp post create --post_type=page --post_status=publish --post_content='[feedwordpress]' (Note: FeedWordPress uses its own display logic; check faf for its specific shortcodes).
  3. Extract: Use browser_navigate to the page and browser_eval("window.faf_vars?.nonce").

5. Exploitation Strategy

The agent will attempt to trigger a reflected XSS payload using a "canary" to confirm reflection, followed by a script payload.

Step 1: Identify the Reflecting Parameter
Perform a search through the plugin's PHP files to identify direct usage of $_GET or $_REQUEST in an echo statement.

  • grep -rP "echo.*\\\$_GET" wp-content/plugins/faf/

Step 2: Confirm Reflection (Canary)
Send an HTTP GET request to the site root (or the identified plugin page) with a unique string.

  • Tool: http_request
  • URL: http://localhost:8080/?<param>=faf_xss_canary
  • Expected Response: The string faf_xss_canary appears unencoded in the HTML body.

Step 3: Execution of XSS

  • Payload: "><script>alert(window.origin)</script> (The "> helps break out of HTML attributes if the reflection is inside a value or href).
  • Request:
    GET /?<param>=%22%3E%3Cscript%3Ealert(window.origin)%3C/script%3E HTTP/1.1
Host: localhost:8080
  • Tool: browser_navigate to the URL.
  • Success Condition: The browser's alert/dialog is triggered, or the script tag is observed in the DOM.

6. Test Data Setup

  1. Install Dependencies: Install and activate the base feedwordpress plugin, as faf (FeedWordPress Advanced Filters) is an extension.
  2. Install Target: Install faf version 0.6.2.
  3. Configure Feed: (If required by the code path) Add a sample RSS feed via FeedWordPress to ensure the filtering logic is triggered.
    • wp feedwordpress add http://localhost:8080/feed/
  4. Create View: Create a page that displays syndicated posts, as this is where "filters" are most likely to be reflected.

7. Expected Results

  • The server response will contain the literal, unescaped payload: "><script>alert(window.origin)</script>.
  • When viewed in a browser, the script will execute in the context of the WordPress site.
  • The CVSS (6.1) suggests a medium impact, consistent with a reflected XSS that can steal cookies or perform actions on behalf of a logged-in user.

8. Verification Steps

After the http_request or browser_navigate call:

  1. Source Check: Inspect the raw HTML of the response to confirm the payload is not converted to &lt;script&gt;.
  2. DOM Check: Use browser_eval("document.body.innerHTML") to verify the presence of the injected <script> tag.

9. Alternative Approaches

  • Attribute Injection: If the input is reflected inside an attribute (e.g., <input value="[INPUT]">), use a payload like x" onmouseover="alert(1).
  • Shortcode Context: If the reflection happens when processing a shortcode, test if do_shortcode or similar functions reflect the atts.
  • Admin-Side Reflection: Check if the reflection occurs on the wp-admin/admin.php?page=faf-filters page. If so, the attack requires tricking an admin into clicking the link (Reflected XSS in Admin), which has a higher impact (account takeover). In this case, use the admin_cookies for the request.
Research Findings
Static analysis — not yet PoC-verified

Summary

The FeedWordPress Advanced Filters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 0.6.2. The plugin reflects user-provided input from URL parameters directly into the HTML response without adequate sanitization or output escaping, allowing attackers to execute arbitrary scripts in a victim's browser.

Vulnerable Code

/* Inferred from vulnerability description and research plan */
/* Likely location: wp-content/plugins/faf/faf-filters.php */

if (isset($_GET['faf_filter'])) {
    echo "<div class='updated'><p>Filter applied: " . $_GET['faf_filter'] . "</p></div>";
}

---

/* Alternative potential sink in admin pages */
$id = $_REQUEST['faf_id'];
echo '<input type="hidden" name="faf_id" value="' . $id . '" />';

Security Fix

--- wp-content/plugins/faf/faf-filters.php
+++ wp-content/plugins/faf/faf-filters.php
@@ -10,3 +10,3 @@
 if (isset($_GET['faf_filter'])) {
-    echo "<div class='updated'><p>Filter applied: " . $_GET['faf_filter'] . "</p></div>";
+    echo "<div class='updated'><p>Filter applied: " . esc_html($_GET['faf_filter']) . "</p></div>";
 }
@@ -20,1 +20,1 @@
-$id = $_REQUEST['faf_id'];
+$id = isset($_REQUEST['faf_id']) ? sanitize_text_field($_REQUEST['faf_id']) : '';
-echo '<input type="hidden" name="faf_id" value="' . $id . '" />';
+echo '<input type="hidden" name="faf_id" value="' . esc_attr($id) . '" />';

Exploit Outline

1. Identify a vulnerable parameter such as 'faf_filter' or 'faf_id' that the plugin reflects back to the user interface. 2. Craft a URL containing a Cross-Site Scripting (XSS) payload. For reflection inside an HTML tag, use: `"><script>alert(window.origin)</script>`. 3. Encode the payload to ensure it is transmitted correctly via the GET request (e.g., `%22%3E%3Cscript%3Ealert(window.origin)%3C/script%3E`). 4. Distribute the malicious link to a target user or navigate to it directly to test reflection. 5. Observe the browser executing the injected script because the application fails to use WordPress escaping functions like esc_html() or esc_attr() before rendering the value.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/588becbc-19a8-40bb-938a-b33b9c6d0513?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database