WP-Safety
CVE-2025-68004

My Post Order <= 1.2.1.1 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The My Post Order plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.1.1
PublishedJanuary 19, 2026
Last updatedJanuary 27, 2026
Affected pluginmy-posts-order
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-68004 (My Post Order) ## 1. Vulnerability Summary The **My Post Order** plugin for WordPress (versions <= 1.2.1.1) is vulnerable to **Reflected Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin's administrative interface fails to sanit…

Show full research plan

Exploitation Research Plan - CVE-2025-68004 (My Post Order)

1. Vulnerability Summary

The My Post Order plugin for WordPress (versions <= 1.2.1.1) is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability exists because the plugin's administrative interface fails to sanitize and escape the post_type (and potentially other) parameters before reflecting them back into the page's HTML. An unauthenticated attacker can craft a malicious URL containing a JavaScript payload; if an authenticated administrator clicks this link, the script will execute within their browser context.

2. Attack Vector Analysis

  • Vulnerable Endpoint: /wp-admin/edit.php?page=my-posts-order
  • Vulnerable Parameter: post_type (inferred)
  • Authentication Level: Unauthenticated to craft/send the link; Administrator (victim) required to trigger execution.
  • Preconditions: The plugin must be active. At least one post type must exist (default 'post' is sufficient).

3. Code Flow

  1. Entry Point: An administrator visits wp-admin/edit.php with the query parameters page=my-posts-order and a malicious post_type.
  2. Hook Registration: The plugin registers a submenu page in the WordPress admin via add_submenu_page() (likely hooked to admin_menu).
  3. Callback Execution: WordPress invokes the plugin's menu callback function (e.g., my_posts_order_page (inferred)) to render the page content.
  4. Processing Input: The callback retrieves the post_type from the $_GET or $_REQUEST global array.
  5. Sink: The raw post_type value is echoed directly into the HTML response, typically within a hidden input field or a heading, without being passed through escaping functions like esc_attr() or esc_html().
    • Hypothetical Vulnerable Line: echo '<input type="hidden" name="post_type" value="' . $_GET['post_type'] . '">';

4. Nonce Acquisition Strategy

Reflected XSS on a GET request to a plugin's administrative page typically does not require a nonce to trigger. The vulnerability lies in the rendering of the page itself, which happens before any action-specific nonces are verified.

If the XSS payload is intended to perform a follow-on CSRF action (like creating a new admin), the browser_eval tool should be used to extract the necessary nonces from the page context once the XSS has triggered:

  1. Navigate to a page where the desired nonce is localized (e.g., /wp-admin/user-new.php).
  2. Use browser_eval("document.querySelector('#_wpnonce_create-user')?.value") or check window variables.

However, for the initial Proof of Concept (PoC) demonstrating XSS, no nonce is needed.

5. Exploitation Strategy

  1. Target URL: http://localhost:8080/wp-admin/edit.php
  2. Payload: post_type=post'"><script>alert(document.domain)</script>
  3. Method: GET
  4. Steps:
    • Log in as an Administrator using the provided credentials.
    • Use the http_request tool to request the vulnerable URL with the payload.
    • Verify that the response body contains the unescaped script tag.

6. Test Data Setup

  1. Plugin Installation: Ensure the My Post Order (slug: my-posts-order) version 1.2.1.1 is installed and activated.
  2. Content Creation: Ensure there is at least one published post so the sorting interface has data to display.
    wp post create --post_type=post --post_title="Proof of Concept Post" --post_status=publish

7. Expected Results

  • The HTTP response should contain the literal string: post'"><script>alert(document.domain)</script> inside an HTML attribute or tag.
  • If viewed in a browser, a JavaScript alert box showing the domain name should appear.

8. Verification Steps

  1. Search Response Source: Check the output of the http_request for the payload.
    // Example verification in PoC script
if (response.body.includes("post'\"><script>alert(document.domain)</script>")) {
    console.log("XSS Confirmed: Payload reflected unescaped.");
}
  2. Manual Check: Navigate to the URL in the browser and confirm the alert fires.

9. Alternative Approaches

If the post_type parameter is sanitized, check other parameters common to sorting plugins that might be reflected:

  • orderby
  • order
  • mode
  • message (often used for "Order Updated" notifications)

Reflected Vector 2 (Inferred):
The plugin may also reflect input in the "Post Order Updated" notice.
URL: /wp-admin/edit.php?page=my-posts-order&message=<script>alert(1)</script>

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/594eb248-7aa3-4af9-b96c-6003a1899ae0?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database