CVE-2025-5538 in BNS Featured Category Plugin
Summary
by MITRE • 06/06/2025
The BNS Featured Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bnsfc' shortcode in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/06/2025
The vulnerability identified as CVE-2025-5538 affects the BNS Featured Category plugin for WordPress, a widely used tool for displaying featured content categories on websites. This plugin has been found to contain a critical stored cross-site scripting flaw that exists in all versions up to and including 2.8.2, making it a significant security risk for WordPress installations that utilize this functionality. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's core codebase, specifically within the 'bnsfc' shortcode implementation that processes user-supplied attributes.
The technical flaw manifests through the plugin's failure to properly validate and sanitize user input parameters passed through the 'bnsfc' shortcode. When authenticated users with contributor-level access or higher submit content containing malicious script code within the plugin's attributes, the system does not adequately filter or escape these inputs before storing them in the database. This allows attackers to inject persistent malicious scripts that remain stored within the website's content until explicitly removed. The vulnerability is particularly dangerous because it operates at the contributor level, meaning even users who normally have limited permissions can exploit this flaw to compromise the entire website's security posture.
The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with the ability to execute arbitrary web scripts in the context of any user who accesses pages containing the malicious content. This creates a persistent threat vector that can be exploited for various malicious purposes including credential theft, session hijacking, defacement of content, or redirection to malicious websites. The stored nature of the vulnerability means that once injected, the malicious scripts will execute automatically every time affected pages are accessed, making it particularly difficult to detect and remediate. This vulnerability directly aligns with CWE-79, which describes cross-site scripting flaws, and represents a clear violation of secure coding practices that should prevent user input from being directly embedded into web pages without proper sanitization.
Organizations affected by this vulnerability should immediately implement mitigation strategies to protect their WordPress installations. The most critical immediate action is to update to the latest version of the BNS Featured Category plugin where the vulnerability has been patched. Until such updates are applied, administrators should consider implementing additional security measures such as restricting contributor-level user permissions to prevent unauthorized content submission, implementing web application firewalls to detect and block malicious script patterns, and conducting thorough audits of existing content to identify any previously injected malicious scripts. The vulnerability also highlights the importance of following ATT&CK framework principles for defensive measures, particularly those related to privilege escalation and command and control communications, as attackers could potentially use this vector to establish persistent access to compromised systems. Regular security monitoring and input validation practices should be reinforced across all WordPress plugins to prevent similar vulnerabilities from being introduced in the future.