Stored Cross-Site Scripting in Any News Ticker Plugin for WordPress
CVE-2025-10168

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Any News Ticker
Vendor: CVE Published:; 30 September 2025

What is CVE-2025-10168?

The Any News Ticker plugin for WordPress contains a Stored Cross-Site Scripting vulnerability due to inadequate input validation and output escaping on the 'any-ticker' shortcode. This flaw allows attackers with contributor-level access and higher to embed malicious scripts into web pages. When a user visits the manipulated pages, the injected scripts will execute, potentially compromising sensitive data and the integrity of the site. It is crucial for site administrators to immediately assess their installations and implement necessary patches or mitigations to secure their websites.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Any News Ticker * <= 3.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/any-news-ticke...

https://wordpress.org/plugins/any-news-ticker

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Sep 30, 2025
Vulnerability Reserved
Sep 9, 2025

Credit

Djaidja Moundjid

JSON

WordPress