The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsive_woo_free_shipping_left_shortcode AJAX action that does not properly validate the content_rech_data parameter before processing it as a shortcode.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Unknown Responsive Plus unaffected
Version Status Constraints
0 affected
< 3.4.3

No data.

No data.

No data.

Subscriptions

No data.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://wpscan.com/vulnerability/80ce0f88-3065-48c4-a491-b70e067ce4d7/ cve-icon cve-icon
History

Thu, 26 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsive_woo_free_shipping_left_shortcode AJAX action that does not properly validate the content_rech_data parameter before processing it as a shortcode.
Title Responsive Plus < 3.4.3 - Unauthenticated Arbitrary Shortcode Execution
References
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-03-26T06:00:08.798Z

Reserved: 2026-01-08T16:00:27.167Z

Link: CVE-2025-15488

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T07:16:19.500

Modified: 2026-03-26T07:16:19.500

Link: CVE-2025-15488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses

No weakness.