Description
The WP-Force Images Download plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpfid' shortcode in all versions up to, and including, 1.8. This is due to insufficient input sanitization and output escaping on the 'class' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The WP‑Force Images Download plugin is vulnerable to a stored cross‑site scripting flaw that occurs when an authenticated user with contributor‑level privileges inserts content using the ‘wpfid’ shortcode. The flaw is caused by inadequate sanitization of the shortcode’s class attribute, resulting in arbitrary JavaScript code being stored in the database and executed whenever a page containing the shortcode is rendered.

Affected Systems

The vulnerability affects the WP‑Force Images Download plug‑in for WordPress, versions all the way through 1.8. It is not limited to a particular WordPress installation, so any site running the plug‑in at or below this version is potentially exposed.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, and an EPSS score of under 1 % suggests the likelihood of exploitation is currently low. The plug‑in is not listed in the CISA KEV catalog. Because the attack requires authentication and contributor‑level access, an authorized attacker can inject malicious scripts that will run for every visitor to the affected page, making the risk substantial if such users exist.

Generated by OpenCVE AI on April 22, 2026 at 21:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP‑Force Images Download to the newest available release or, if the latest version is still 1.8, remove the plug‑in from the site.
  • Disable the ‘wpfid’ shortcode or replace it with a sanitized version that properly escapes the class attribute.
  • Minimize contributor‑level permissions for users who do not need them, or use stricter role‑based access controls.

Generated by OpenCVE AI on April 22, 2026 at 21:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 08:45:00 +0000

Type Values Removed Values Added
Description The WP-Force Images Download plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpfid' shortcode in all versions up to, and including, 1.8. This is due to insufficient input sanitization and output escaping on the 'class' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP-Force Images Download <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:59.020Z

Reserved: 2025-10-15T15:16:52.275Z

Link: CVE-2025-11809

cve-icon Vulnrichment

Updated: 2025-10-22T15:44:16.536Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T09:15:32.680

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:00:18Z

Weaknesses