Description
The Reuse Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'reuse_builder_single_post_title' shortcode in all versions up to, and including, 1.7. This is due to insufficient input sanitization and output escaping on the 'style' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-11-04
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

The Reuse Builder plugin allows authenticated users with contributor-level access or higher to store malicious scripts by injecting them through the style attribute used by the reuse_builder_single_post_title shortcode. The injected script is stored in the database and rendered on any page that includes the shortcode, enabling the attacker to execute arbitrary JavaScript in the context of a site visitor. This vulnerability results in a confidentiality and integrity breach for the site’s users, while also giving attackers the ability to deface content or redirect users.

Affected Systems

The flaw affects all installations of the Reuse Builder plugin for WordPress up to and including version 1.7. Users running version 1.7 or prior are at risk unless they have applied a patch or workaround. The vendor, redq, does not provide a specific update listing in the data but the issue is reported for the 1.7 release and earlier.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity vulnerability. A low EPSS score (< 1%) suggests that, at the time of this analysis, exploitation attempts are rare, and the plugin is not currently listed in the CISA KEV catalog. The likely attack vector requires authenticated access at contributor level or higher and relies on the ability to add or edit content that includes the shortcode. Successful exploitation results in the execution of attacker‑controlled scripts on any page that renders the affected shortcode.

Generated by OpenCVE AI on April 21, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Reuse Builder to a version newer than 1.7, preferably the latest released version where the vulnerability has been fixed.
  • If an upgrade is not immediately possible, remove or disable the reuse_builder_single_post_title shortcode from all posts and pages until a patch is applied.
  • Restrict contributor-level users from editing posts that invoke this shortcode by adjusting role permissions or implementing a plugin that blocks shortcode editing for those roles.

Generated by OpenCVE AI on April 21, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 04 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Reuse Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'reuse_builder_single_post_title' shortcode in all versions up to, and including, 1.7. This is due to insufficient input sanitization and output escaping on the 'style' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Reuse Builder <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:47.726Z

Reserved: 2025-10-15T15:39:48.285Z

Link: CVE-2025-11812

cve-icon Vulnrichment

Updated: 2025-11-04T14:56:20.627Z

cve-icon NVD

Status : Deferred

Published: 2025-11-04T05:16:03.470

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:45:06Z

Weaknesses