Description
The Mstoic Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'start' parameter of the ms_youtube_embeds shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-07
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Mstoic Shortcodes plugin for WordPress suffers from a stored cross‑site scripting flaw in the 'start' parameter of the ms_youtube_embeds shortcode. This weakness allows attackers who have Contributor‑level or higher access to embed arbitrary JavaScript that is persisted and executed when any user views the affected page. When executed, the malicious code can steal session cookies, hijack a logged‑in user’s session, or perform further attacks against site visitors.

Affected Systems

Mstoic Shortcodes plugin for WordPress, versions up through 2.0 inclusive. The vulnerability exists in all releases up to and including 2.0, so any WordPress site running that plugin version is affected. Administrators should verify the plugin version and upgrade when a newer, fixed release is available.

Risk and Exploitability

The CVSS score of 6.4 places this vulnerability in the medium severity range. The EPSS score of <1% indicates a very low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, because the flaw is stored and requires only authenticated Contributor+ access to inject code, it can affect all site visitors when the compromised content is displayed, making timely patching still advisable.

Generated by OpenCVE AI on April 21, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mstoic Shortcodes to a version newer than 2.0 or remove the plugin if it is no longer needed.
  • Review existing posts and pages that use the ms_youtube_embeds shortcode; sanitize or delete any suspicious 'start' attributes that contain javascript or other unsafe content.
  • Minimize Contributor+ privileges on the site, or use a role editor to restrict the contributor role to only editing content that does not involve shortcodes, thereby reducing the attack surface.
  • Optionally implement a Content Security Policy that blocks the execution of inline scripts on the site to mitigate the impact of any residual XSS.

Generated by OpenCVE AI on April 21, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
Description The Mstoic Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'start' parameter of the ms_youtube_embeds shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Mstoic Shortcodes <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'start' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:43.078Z

Reserved: 2025-12-05T18:50:47.744Z

Link: CVE-2025-14144

cve-icon Vulnrichment

Updated: 2026-01-07T15:10:30.538Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:53.970

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14144

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:45:15Z

Weaknesses