{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13608", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-24T15:08:09.981Z", "datePublished": "2025-12-15T14:25:08.567Z", "dateUpdated": "2026-04-08T16:36:39.639Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:39.639Z"}, "affected": [{"vendor": "caterhamcomputing", "product": "CC Child Pages", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'child_pages' shortcode in all versions up to, and including, 2.0.0. This is due to insufficient input sanitization and output escaping on four user-supplied attributes (use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt) in the 'show_child_pages' function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "CC Child Pages <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'child_pages' Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/139009b5-69d4-44ca-820c-766645828e5e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3403877/cc-child-pages"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-11-12T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-24T20:29:41.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-15T02:16:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:42:36.239538Z", "id": "CVE-2025-13608", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:45:44.463Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13608", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:42:36.239538Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:42:37.347Z"}}], "cna": {"title": "CC Child Pages <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'child_pages' Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "caterhamcomputing", "product": "CC Child Pages", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-12T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-24T20:29:41.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-15T02:16:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/139009b5-69d4-44ca-820c-766645828e5e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3403877/cc-child-pages"}], "descriptions": [{"lang": "en", "value": "The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'child_pages' shortcode in all versions up to, and including, 2.0.0. This is due to insufficient input sanitization and output escaping on four user-supplied attributes (use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt) in the 'show_child_pages' function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:39.639Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13608", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:36:39.639Z", "dateReserved": "2025-11-24T15:08:09.981Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-15T14:25:08.567Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'child_pages' shortcode in all versions up to, and including, 2.0.0. This is due to insufficient input sanitization and output escaping on four user-supplied attributes (use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt) in the 'show_child_pages' function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-13608", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-15T15:15:48.340", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3403877/cc-child-pages"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/139009b5-69d4-44ca-820c-766645828e5e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:16:37.742305+00:00", "value": {"mitigation_remediation": ["Update the CC Child Pages plugin to the latest version that fixes the XSS issue if an updated release is available.", "Restrict contributor permissions or downgrade users who have editing rights with the 'child_pages' shortcode to a role that cannot modify such content.", "Exclude or disable the 'child_pages' shortcode on pages that do not require contributor editing or that are publicly accessible.", "Review existing pages for embedded script tags or malicious code added via the shortcode and remove any that appear harmful."], "summary": {"action": "Patch Update", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "This flaw targets Caterham Computing\u2019s CC Child Pages plugin for WordPress. All versions up to and including 2.0.0 are affected; the vulnerability is present in every release up to that point.", "description_and_impact": "The CC Child Pages WordPress plugin is vulnerable to stored cross\u2011site scripting. The 'child_pages' shortcode accepts four user\u2011supplied attributes\u2014use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt\u2014that are not properly sanitized or escaped, resulting in a CWE\u201179 vulnerability. An attacker can inject arbitrary JavaScript into a page that will execute whenever a user visits that page.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate risk level, while the EPSS score of less than 1% shows exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authentication with contributor level or higher access, the threat is confined to users who can edit content using the 'child_pages' shortcode."}}}}, "created": "2025-12-15T21:33:29.384907+00:00", "updated": "2026-04-28T10:30:29.007512+00:00", "vendors": ["caterhamcomputing", "caterhamcomputing$PRODUCT$cc_child_pages", "wordpress", "wordpress$PRODUCT$wordpress"]}