CVE-2025-8015: Stored XSS Vulnerability in WP Shortcodes Plugin (Shortcodes Ultimate)
🔍 TL;DR Summary
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in the WP Shortcodes Plugin – Shortcodes Ultimate for WordPress, affecting versions up to and including 7.4.2. Authenticated attackers with Author-level access or higher can inject malicious web scripts into the 'Title' and 'Slide link' fields of uploaded images, potentially compromising users who access affected pages. Update your plugin to the latest version to mitigate this risk.
🚨 Vulnerability Details
CVE ID
CVE-2025-8015
Description
The WP Shortcodes Plugin – Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded image's 'Title' and 'Slide link' fields in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score and Vector
CVSS v3.1 Score: 6.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Explanation: This vulnerability has a medium severity because it allows an attacker with low privileges (Author role) to inject code without user interaction. The scope is changed, meaning the injected code can affect other parts of the WordPress site. Confidentiality and Integrity are impacted to a low degree, while Availability is not impacted.
Exploit Requirements
- Attacker needs a valid WordPress account with at least Author-level privileges.
- Attacker needs to upload an image using the plugin's shortcode functionality.
- Attacker can then insert the malicious payload in the 'Title' and 'Slide link' fields during the upload process.
Affected Vendor, Product, Version
- Vendor: WP Shortcodes Plugin
- Product: Shortcodes Ultimate
- Version: All versions up to and including 7.4.2
CWE
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Explanation: This CWE refers to vulnerabilities that occur when user-supplied data is included in a web page without proper sanitization, allowing attackers to inject malicious scripts that execute in the victim's browser.
📅 Timeline of Events
- **2025-07-22:** Vulnerability reported to Wordfence.
- **2025-07-22:** CVE-2025-8015 assigned.
- **Unknown Date:** Patch released in a later version of the plugin (after 7.4.2).
🧠 Exploitability & Real-World Risk
This vulnerability is relatively easy to exploit, requiring only an authenticated user with Author-level permissions. In a real-world scenario, an attacker could leverage this vulnerability to inject malicious JavaScript code into pages, potentially redirecting users to phishing sites, stealing credentials, or performing other unauthorized actions. Given the popularity of the Shortcodes Ultimate plugin, this poses a significant risk to a large number of WordPress websites.
🛠️ Recommendations
- **Update:** Upgrade the WP Shortcodes Plugin (Shortcodes Ultimate) to the latest version as soon as possible.
- **Input Sanitization:** Always sanitize user inputs to prevent script injection.
- **Web Application Firewall (WAF):** Implement a WAF to detect and block malicious requests.
- **Principle of Least Privilege:** Ensure users have only the necessary permissions to perform their tasks.
🧪 Technical Insight
The vulnerability stems from the plugin's failure to properly sanitize and escape the 'Title' and 'Slide link' fields of uploaded images. This allows an attacker to inject arbitrary HTML and JavaScript code, which is then stored in the WordPress database. When a user visits a page containing the affected shortcode, the malicious code is rendered in their browser, leading to the execution of the injected script.
🙌 Credit to Researcher(s)
Wordfence
🔗 References
🧵 Tags
WordPress, Shortcodes Ultimate, XSS, CVE-2025-8015, Security, Vulnerability, Plugin
Summary: A stored Cross-Site Scripting (XSS) vulnerability exists in the WP Shortcodes Plugin (Shortcodes Ultimate) for WordPress, affecting versions up to 7.4.2. Authenticated attackers with Author-level access can inject malicious scripts via image 'Title' and 'Slide link' fields, potentially compromising users. Update immediately to mitigate the risk.
CVE ID: CVE-2025-8015
Risk Analysis: Successful exploitation can lead to account takeover, redirection to phishing sites, and other malicious actions. Given the popularity of the plugin, this poses a significant risk to many WordPress websites.
Recommendation: Update the WP Shortcodes Plugin (Shortcodes Ultimate) to the latest version. Sanitize user inputs and implement a Web Application Firewall (WAF) to prevent script injection attacks.
Timeline
- 2025-07-22: Vulnerability reported to Wordfence and CVE-2025-8015 assigned.