CVE-2025-5567: Stored XSS Vulnerability in WP Shortcodes Ultimate Plugin

The WP Shortcodes Ultimate plugin for WordPress is vulnerable to a Stored Cross-Site Scripting (XSS) attack. This flaw could allow attackers with contributor-level access or higher to inject malicious scripts into website content, potentially compromising user accounts and website integrity.

Vulnerability Details

CVE ID: CVE-2025-5567
Description: The WP Shortcodes Ultimate plugin (versions up to 7.4.0) is susceptible to Stored XSS via the 'data-url' DOM element attribute. Insufficient input sanitization and output escaping enable authenticated attackers (Contributor role or higher) to inject arbitrary web scripts in pages. These scripts execute when a user accesses the compromised page.
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSS Vector Explanation:
- AV:N (Network): The vulnerability is exploitable over the network.
- AC:L (Low): The attack doesn't require any special conditions or preparation.
- PR:L (Low): The attacker needs low-level privileges (e.g., Contributor role in WordPress).
- UI:N (None): No user interaction is required to trigger the vulnerability.
- S:C (Changed): The vulnerability can affect resources beyond the attacker's control (scope change).
- C:L (Low): Limited impact on confidentiality.
- I:L (Low): Limited impact on integrity.
- A:N (None): No impact on availability.
Exploit Requirements: An attacker needs to be authenticated with at least Contributor-level access.
Affected Vendor: WordPress
Affected Product: WP Shortcodes Ultimate Plugin
Affected Version: Versions up to and including 7.4.0
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
CWE Explanation: CWE-79 describes Cross-Site Scripting (XSS) vulnerabilities, where an application fails to properly sanitize user-supplied input before including it in an output web page. This allows attackers to inject malicious scripts that execute in the victim's browser.

Timeline of Events

2025-07-04: CVE Assigned and vulnerability reported.

Exploitability & Real-World Risk

This vulnerability is relatively easy to exploit for an authenticated user with Contributor permissions. In a real-world scenario, a malicious actor could inject JavaScript code into posts or pages using the 'data-url' attribute within a shortcode. When other users (including administrators) view these compromised pages, the injected script will execute. This could lead to account takeover, defacement of the website, or redirection to phishing sites.

Recommendations

To mitigate this vulnerability, it is highly recommended to:

Update the WP Shortcodes Ultimate plugin to a version higher than 7.4.0, if a patched version is available.
If an update is not available, consider disabling or removing the plugin until a fix is released.
Review and sanitize any existing content that uses the WP Shortcodes Ultimate plugin, paying close attention to the 'data-url' attribute.

Technical Insight

The vulnerability lies in the lack of proper input sanitization and output escaping of the 'data-url' attribute used within the plugin's shortcodes. This allows an attacker to inject arbitrary HTML and JavaScript code. The injected code then gets rendered in the user's browser, leading to the execution of malicious scripts.

Credit to Researcher(s)

This vulnerability was discovered by Wordfence.

CVE-2025-5567: Stored XSS Vulnerability in WP Shortcodes Ultimate Plugin

CVE-2025-5567: Stored XSS Vulnerability in WP Shortcodes Ultimate Plugin

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form