Description
The Memberlite Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'row' shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting via plugin shortcode
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows authenticated users with contributor or higher privileges to store malicious JavaScript within the row shortcode of the Memberlite Shortcodes plugin. Once stored, the script is served to anyone who visits the affected page, producing a classic stored XSS that can result in session hijacking, credential theft, or defacement. This weakness arises from failure to sanitize or escape user‑supplied attributes, and is identified as CWE‑80.

Affected Systems

WordPress sites running the Memberlite Shortcodes plugin from the developer Stranger Studios, in any version up to and including 1.4. All installations of these versions are susceptible.

Risk and Exploitability

The CVSS score of 6.4 places the flaw in the moderate range, while an EPSS score of less than 1% indicates a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. Exploitation requires authentication at the contributor level or higher, and the attacker must have permission to create or edit content using the plugin. Once satisfied, the stored payload will execute in users’ browsers whenever the shortcode renders.

Generated by OpenCVE AI on April 21, 2026 at 02:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Memberlite Shortcodes to the latest released version, ensuring the vulnerable 'row' shortcode implementation is fixed
  • If an updated version is not available, remove or disable the plugin entirely to eliminate the risk
  • Restrict Contributor and higher role capabilities from using shortcode editing features until a patch is applied or the plugin is removed

Generated by OpenCVE AI on April 21, 2026 at 02:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29686 The Memberlite Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'row' shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 17 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Strangerstudios
Strangerstudios memberlite Shortcodes
Wordpress
Wordpress wordpress
Vendors & Products Strangerstudios
Strangerstudios memberlite Shortcodes
Wordpress
Wordpress wordpress

Wed, 17 Sep 2025 04:15:00 +0000

Type Values Removed Values Added
Description The Memberlite Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'row' shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Memberlite Shortcodes <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Strangerstudios Memberlite Shortcodes
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:30.250Z

Reserved: 2025-09-08T18:20:26.857Z

Link: CVE-2025-10125

cve-icon Vulnrichment

Updated: 2025-09-17T12:46:26.656Z

cve-icon NVD

Status : Deferred

Published: 2025-09-17T04:15:53.863

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses