CVE-2025-1453: 
WordPress vulnerability analysis and mitigation

The Category Posts Widget WordPress plugin before version 4.9.20 contains a security vulnerability identified as CVE-2025-1453. The vulnerability was discovered by Dmitrii Ignatyev and was publicly disclosed on April 3, 2025. This security issue affects the WordPress plugin's settings functionality, specifically impacting installations where high-privilege users have access to the widget configuration (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS 3.1 Base Score of 4.8 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The technical issue stems from improper sanitization and escaping of settings in the plugin, particularly affecting the Template field in the Post details section of the widget configuration (NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed, such as in multisite WordPress setups. This creates a potential security risk for affected WordPress installations (WPScan).

The vulnerability has been patched in version 4.9.20 of the Category Posts Widget plugin. Website administrators are advised to update to this version or later to mitigate the security risk (WPScan).