Description
The CC-IMG-Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'img' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-03-13
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The CC‑IMG‑Shortcode plugin stores user‑supplied attributes of its Shortcode without proper sanitization, enabling a stored cross‑site scripting attack. An authenticated user with contributor privilege can inject arbitrary JavaScript into the shortcode’s attributes. When a page containing the shortcode is rendered, the script executes in every visitor’s browser, potentially defacing content or stealing session data.

Affected Systems

ClearcodeHQ’s CC‑IMG‑Shortcode WordPress plugin. All releases up to and including version 1.1.0 are affected. Users should inspect their installations for the presence of these versions and plan an upgrade when a fix becomes available.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while an EPSS of less than 1% suggests a low probability of exploitation. The vulnerability requires authenticated access at contributor level or higher; once compromised, the stored script runs for any user who views the affected page. As it is not listed in the CISA KEV catalog, it is considered a non‑known‑exploited vulnerability. The likely attack vector is inferred to be the plugin’s shortcode editor, where contributors can embed malicious attributes.

Generated by OpenCVE AI on April 21, 2026 at 21:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CC‑IMG‑Shortcode plugin to a version newer than 1.1.0, or install a patch that implements proper input sanitization and output escaping.
  • If an update is unavailable, disable or remove the plugin from sites that do not require it, or restrict the use of the ‘img’ shortcode to trusted administrators only.
  • Review existing posts and pages that use the shortcode for injected scripts and delete any malicious content, ensuring that all attributes are free from executable code.

Generated by OpenCVE AI on April 21, 2026 at 21:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6423 The CC-IMG-Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'img' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00044}

 epss

{'score': 0.00057}

Fri, 14 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Mar 2025 02:15:00 +0000

Type Values Removed Values Added
Description The CC-IMG-Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'img' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title CC-IMG-Shortcode <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:46.179Z

Reserved: 2025-02-21T16:33:54.206Z

Link: CVE-2025-1559

cve-icon Vulnrichment

Updated: 2025-03-14T13:55:10.024Z

cve-icon NVD

Status : Deferred

Published: 2025-03-13T02:15:12.917

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1559

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:00:26Z

Weaknesses