CVE-2025-4171: 
WordPress vulnerability analysis and mitigation

The WZ Followed Posts WordPress plugin contains a Stored Cross-Site Scripting vulnerability (CVE-2025-4171) discovered in May 2025. The vulnerability affects all versions up to and including 3.1.0, and is present in the plugin's 'wfp' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes (NVD, Wiz).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.4 (Medium). The attack vector requires network access (N) with low attack complexity (L), requires low privileges (L), no user interaction (N), and affects confidentiality and integrity at a low level with no impact on availability. The technical vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user sessions (NVD, Wiz).

The vulnerability has been patched in version 3.1.1 of the WZ Followed Posts plugin. The update includes improved input sanitization for the plugin's arguments. Users are strongly advised to update to this latest version (WordPress Changelog).