CVE-2025-15488 - Vulnerability Details

- Responsive Plus < 3.4.3 - Unauthenticated Arbitrary Shortcode Execution

Description

The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsive_woo_free_shipping_left_shortcode AJAX action that does not properly validate the content_rech_data parameter before processing it as a shortcode.

Published: 2026-03-26

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Responsive Plus WordPress plugin before version 3.4.3 exposes an AJAX action that accepts the parameter content_rech_data without validating the user’s authentication or the content's safety. An attacker can send an unauthenticated request to this AJAX endpoint and embed any shortcode, effectively executing arbitrary code on the site. This allows the attacker to compromise the confidentiality, integrity, and availability of the website by running malicious commands or injecting harmful content.

Affected Systems

WordPress sites that have the Responsive Plus plugin installed with a version earlier than 3.4.3 are affected. No specific vendor name is provided, but the vulnerability applies to all installations using that plugin version.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk, while the EPSS score is below 1 %, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web‑based, requiring no credentials, and the vulnerability could be exploited by any user with internet access to the site.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Unknown

Responsive Plus

unaffected

Version	Status	Constraints
`0`	affected	< 3.4.3

No data.

Vendor Product Confidence Versions

Responsive

Responsive Menu

81%

Version	Status	Scheme	Platform
`[0,3.4.3)`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Responsive Plus plugin to version 3.4.3 or newer.
If an update is not immediately possible, disable the Responsive Plus plugin until a patch becomes available.
Use a security plugin or firewall rule to block unauthenticated requests to the AJAX endpoint update_responsive_woo_free_shipping_left_shortcode.
Monitor site logs for unexpected shortcode executions or abnormal traffic patterns.
Keep all WordPress core files, themes, and plugins up to date and review vendor advisories for additional patches.

Generated by OpenCVE AI on March 27, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00145.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://wpscan.com/vulnerability/80ce0f88-3065-48c4-a491-b70e067ce4d7/

History

Sun, 29 Mar 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-284 CWE-79

Fri, 27 Mar 2026 09:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284 CWE-79

Thu, 26 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 14:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-284 CWE-94

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284 CWE-94

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Responsive Responsive responsive Menu Wordpress Wordpress wordpress
Vendors & Products		Responsive Responsive responsive Menu Wordpress Wordpress wordpress

Thu, 26 Mar 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsive_woo_free_shipping_left_shortcode AJAX action that does not properly validate the content_rech_data parameter before processing it as a shortcode.
Title		Responsive Plus < 3.4.3 - Unauthenticated Arbitrary Shortcode Execution
References		https://wpscan.com/vulnerability/80ce0f88-3065-48c4-a491-b70e067ce4d7/

Subscriptions

Responsive Responsive Menu

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-03-26T06:00:08.798Z

Updated: 2026-03-26T13:34:48.726Z

Reserved: 2026-01-08T16:00:27.167Z

Link: CVE-2025-15488

Vulnrichment

Updated: 2026-03-26T13:34:45.926Z

NVD

Status : Deferred

Published: 2026-03-26T07:16:19.500

Modified: 2026-04-15T15:05:47.827

Link: CVE-2025-15488

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-29T20:28:00Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object