CVE-2025-1481 - Vulnerability Details

- Shortcode Cleaner Lite <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Export

Description

The Shortcode Cleaner Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_backup() function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export arbitrary options.

Published: 2025-03-08

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Shortcode Cleaner Lite plugin contains a missing capability check in its download_backup() function. As a result, any authenticated user with Subscriber-level access and above can call this function and export arbitrary options from the WordPress database. This allows an attacker to pull sensitive configuration data, potentially compromising site integrity and privacy. The flaw is a classic missing authorization issue, classified as CWE‑862.

Affected Systems

The issue affects the Shortcode Cleaner Lite WordPress plugin by the vendor mandooox. All releases up to and including version 1.0.9 are vulnerable. WordPress sites that have installed any of these releases are exposed.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability is of moderate severity. The EPSS score is below 1%, indicating that exploitation is unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. Because the exploit requires only a normal authenticated subscriber account, an attacker does not need elevated privileges or remote code execution, but can still unfetteredly download site options.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mandooox

Shortcode Cleaner Lite

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0.9

Configuration 1 [-]

cpe:2.3:a:jozoor:shortcode_cleaner_lite:*:*:*:*:*:wordpress:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Shortcode Cleaner Lite plugin to version 1.0.10 or later, or uninstall it if it is no longer needed.
Restrict normal subscriber accounts from accessing the plugin's export functionality by adjusting role permissions or removing them from the site.
Conduct an audit of all WordPress installations using the plugin to confirm no unauthorized backups have been exported and rotate any compromised credentials.

Generated by OpenCVE AI on April 22, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-7401	The Shortcode Cleaner Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_backup() function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export arbitrary options.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00144.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/shortcode-cleaner-lite/trunk/vendor/codestar/codestar/core/Module/Export.php#L53
https://wordpress.org/plugins/shortcode-cleaner-lite/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/15613da5-f900-4a33-8eec-6c9e52ed30fc?source=cve

History

Wed, 12 Mar 2025 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jozoor Jozoor shortcode Cleaner Lite
CPEs		cpe:2.3:a:jozoor:shortcode_cleaner_lite::::::wordpress::*
Vendors & Products		Jozoor Jozoor shortcode Cleaner Lite

Mon, 10 Mar 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 08 Mar 2025 02:45:00 +0000

Type	Values Removed	Values Added
Description		The Shortcode Cleaner Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_backup() function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export arbitrary options.
Title		Shortcode Cleaner Lite <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Export
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/shortcode-cleaner-lite/trunk/vendor/codestar/codestar/core/Module/Export.php#L53 https://wordpress.org/plugins/shortcode-cleaner-lite/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/15613da5-f900-4a33-8eec-6c9e52ed30fc?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Jozoor Shortcode Cleaner Lite

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-03-08T02:24:01.278Z

Updated: 2026-04-08T16:36:56.659Z

Reserved: 2025-02-19T20:48:39.818Z

Link: CVE-2025-1481

Vulnrichment

Updated: 2025-03-10T16:05:47.400Z

NVD

Status : Analyzed

Published: 2025-03-08T03:15:37.237

Modified: 2025-03-12T16:40:25.783

Link: CVE-2025-1481

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T18:00:05Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object