Reflected Cross-Site Scripting in Post Grid Master Plugin for WordPress
CVE-2025-5084

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything With Infinite Scroll, Load More, Pagination & Shortcode Builder
Vendor: CVE Published:; 24 July 2025

What is CVE-2025-5084?

The Post Grid Master plugin for WordPress suffers from a reflected cross-site scripting vulnerability due to improper input sanitization and output escaping in the ‘argsArray['read_more_text']’ parameter. This flaw allows unauthenticated attackers to execute arbitrary web scripts on the pages, targeting unsuspecting users who are deceived into clicking a malicious link. All versions up to and including 3.4.13 are affected, making it crucial for site administrators to patch this vulnerability to protect their users and maintain security.

Affected Version(s)

Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder * <= 3.4.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://github.com/Fr1t0viski/PoCs/blob/main/XSS_GridMaster

https://plugins.trac.wordpress.org/browser/ajax-filter-po...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 24, 2025
Vulnerability Reserved
May 22, 2025

Credit

Alefe Souza