Stored Cross-Site Scripting in Any News Ticker Plugin for WordPress
CVE-2025-10168

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Any News Ticker
Vendor: CVE Published:; 30 September 2025

What is CVE-2025-10168?

The Any News Ticker plugin for WordPress contains a Stored Cross-Site Scripting vulnerability due to inadequate input validation and output escaping on the 'any-ticker' shortcode. This flaw allows attackers with contributor-level access and higher to embed malicious scripts into web pages. When a user visits the manipulated pages, the injected scripts will execute, potentially compromising sensitive data and the integrity of the site. It is crucial for site administrators to immediately assess their installations and implement necessary patches or mitigations to secure their websites.

Affected Version(s)

Any News Ticker * <= 3.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/any-news-ticke...

https://wordpress.org/plugins/any-news-ticker

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 30, 2025
Vulnerability Reserved
Sep 9, 2025

Credit

Djaidja Moundjid

JSON