Description
The Ayo Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' parameter of the ayo_action shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-12
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via shortcode
Action: Patch
AI Analysis

Impact

Ayo Shortcodes plugin for WordPress has a stored cross‑site scripting vulnerability in the 'color' parameter of the ayo_action shortcode. The flaw arises from missing sanitization and escaping, enabling an authenticated Contributor or higher to embed arbitrary JavaScript that will run whenever any user views the affected page. Such scripts can hijack sessions, alter page content, exfiltrate data, or redirect users to malicious sites, representing a typical stored XSS impact on confidentiality, integrity, and availability of all visitors to the site.

Affected Systems

The issue affects Ayo Themes’ Ayo Shortcodes plugin in all releases up to and including version 0.2. Any WordPress site running this plugin without a post‑0.2 update is vulnerable. Versions beyond 0.2 are assumed fixed, unless further information reveals otherwise.

Risk and Exploitability

The CVSS score of 6.4 classifies this as a medium‑severity flaw, and the current EPSS score of <1 % indicates a very low probability of exploitation in the wild. However, the vulnerability requires the attacker to hold at least Contributor privileges, which are common on many blogs and small business sites, meaning that any compromise of such accounts can be sufficient. The flaw is not listed in the CISA KEV catalog, implying no publicly confirmed exploits, but stored XSS still remains a legitimate risk for attackers who can inject and persist malicious content.

Generated by OpenCVE AI on April 22, 2026 at 16:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Ayo Shortcodes release (any version newer than 0.2) to obtain the vendor’s fix.
  • If a patch is not immediately available, remove or neutralize the 'color' attribute by editing the shortcode handler or adding a code snippet that removes the parameter before rendering.
  • Restrict the Contributor role or audit user capabilities so that only trusted personnel can add or edit content, and regularly scan the site for unexpected JavaScript injections.

Generated by OpenCVE AI on April 22, 2026 at 16:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Ayo Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' parameter of the ayo_action shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Ayo Shortcodes <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:24.371Z

Reserved: 2025-12-05T18:49:24.747Z

Link: CVE-2025-14143

cve-icon Vulnrichment

Updated: 2025-12-15T18:08:19.467Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:48.207

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14143

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:30:22Z

Weaknesses