CVE-2025-13608

Name of the Vulnerable Software and Affected Versions CC Child Pages plugin for WordPress versions prior to 2.0.1

Description The CC Child Pages plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'child pages' shortcode. The issue stems from inadequate input sanitization and output escaping of four user-supplied attributes – use custom link, use custom link target, use custom thumbs, and use custom excerpt – within the show child pages function. This allows authenticated attackers with contributor-level access or higher to inject malicious web scripts into pages. These scripts will then execute whenever a user accesses the compromised page.

Recommendations Update the CC Child Pages plugin to version 2.0.1 or later.