{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68004", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:49.129Z", "datePublished": "2026-01-22T16:51:59.864Z", "dateUpdated": "2026-04-28T19:52:43.998Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "my-posts-order", "product": "My Post Order", "vendor": "Kapil Chugh", "versions": [{"lessThanOrEqual": "1.2.1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:18.448Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS.<p>This issue affects My Post Order: from n/a through <= 1.2.1.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS.This issue affects My Post Order: from n/a through <= 1.2.1.1."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:25.784Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/my-posts-order/vulnerability/wordpress-my-post-order-plugin-1-2-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress My Post Order plugin <= 1.2.1.1 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T17:14:14.209921Z", "id": "CVE-2025-68004", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:52:43.998Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-68004", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T17:14:14.209921Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T17:14:07.796Z"}}], "cna": {"title": "WordPress My Post Order plugin <= 1.2.1.1 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "affected": [{"vendor": "Kapil Chugh", "product": "My Post Order", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.2.1.1"}], "packageName": "my-posts-order", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-01-22T17:43:58.662Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/my-posts-order/vulnerability/wordpress-my-post-order-plugin-1-2-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS.This issue affects My Post Order: from n/a through <= 1.2.1.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS.<p>This issue affects My Post Order: from n/a through <= 1.2.1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-01-22T16:51:59.864Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68004", "state": "PUBLISHED", "dateUpdated": "2026-01-29T18:41:03.841Z", "dateReserved": "2025-12-15T10:00:49.129Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:51:59.864Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS.This issue affects My Post Order: from n/a through <= 1.2.1.1."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Kapil Chugh My Post Order my-posts-order permite XSS Reflejado. Este problema afecta a My Post Order: desde n/a hasta &lt;= 1.2.1.1."}], "id": "CVE-2025-68004", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:06.723", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/my-posts-order/vulnerability/wordpress-my-post-order-plugin-1-2-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T09:56:29.510249+00:00", "value": {"mitigation_remediation": ["Upgrade the My Post Order plugin to a version newer than 1.2.1.1 once an official patch is released.", "If an update is unavailable, deactivate the plugin to stop the vulnerable functionality from running.", "Deploy a web application firewall rule that blocks any script elements or attempts to inject JavaScript into responses from the My Post Order plugin."], "summary": {"action": "Immediate Patch", "impact": "Cross-site scripting (CWE-79) may allow attackers to inject scripts, potentially hijacking user sessions or defacing content"}, "threat_synthesis": {"affected_systems": "Kapil Chugh\u2019s My Post Order WordPress plugin, versions from the earliest available up through 1.2.1.1. Site owners using any of these versions are at risk.", "description_and_impact": "The vulnerability is a reflected cross\u2011site scripting flaw that occurs when user\u2011supplied input is incorporated into web page output without proper neutralization. An attacker can embed malicious JavaScript in crafted requests that is executed in the victim\u2019s browser when the page is rendered. This can enable session hijacking, credential theft, defacement or the execution of additional malicious payloads. The weakness is classified as CWE-79 and the affected versions are up to and including 1.2.1.1 of the WordPress My Post Order plugin.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a medium\u2011to\u2011high impact. The EPSS score is below 1%, suggesting that active exploitation is presently uncommon, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is a reflected endpoint that accepts user input via query parameters or POST data; the attacker needs to entice a user to visit a crafted URL or submit malicious form data in an authenticated session. No additional system\u2011level prerequisites are required beyond a vulnerable plugin installation."}}}}, "created": "2026-01-23T16:30:39.879172+00:00", "updated": "2026-04-28T10:00:06.505473+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}