Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jtwerdy Genesis Style Shortcodes genesis-style-shortcodes allows DOM-Based XSS.This issue affects Genesis Style Shortcodes: from n/a through <= 1.0.
Published: 2025-01-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists because input supplied in Genesis Style Shortcodes is not properly neutralized before being rendered, allowing an attacker to inject arbitrary JavaScript into the page. This DOM‑Based XSS flaw can be used to execute scripts in the context of the site’s users, potentially leading to session hijacking, credential theft, or defacement of the web page. The weakness is identified as CWE‑79, a classic input validation error.

Affected Systems

WordPress users running the Genesis Style Shortcodes plugin from any release up to and including 1.0 are affected. The plugin is developed by jtwerdy, and the issue spans all versions that lack the latest patch.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests that exploitation is unlikely but still possible. The flaw is not listed in the CISA KEV catalog, so it has not yet been confirmed as a known exploited vulnerability. The likely attack vector involves an attacker placing malicious content through a shortcode that the plugin renders without proper escaping. Successful exploitation requires the compromised script to run in a user’s browser, which can be achieved by any visitor viewing a page containing the affected shortcode.

Generated by OpenCVE AI on May 1, 2026 at 22:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Genesis Style Shortcodes plugin to the latest version that addresses the XSS flaw.
  • If an update is unavailable, ensure that any user‑supplied content passed to the plugin is properly sanitized or removed from output.
  • Disable or delete the Genesis Style Shortcodes plugin if it is not essential to site functionality.
  • If the plugin must remain, restrict who can add or edit the offending shortcodes and audit page content for injected scripts.

Generated by OpenCVE AI on May 1, 2026 at 22:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3026 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Twerdy Genesis Style Shortcodes allows DOM-Based XSS.This issue affects Genesis Style Shortcodes: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Twerdy Genesis Style Shortcodes allows DOM-Based XSS.This issue affects Genesis Style Shortcodes: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jtwerdy Genesis Style Shortcodes genesis-style-shortcodes allows DOM-Based XSS.This issue affects Genesis Style Shortcodes: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 10 Jan 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Twerdy Genesis Style Shortcodes allows DOM-Based XSS.This issue affects Genesis Style Shortcodes: from n/a through 1.0.
Title WordPress Genesis Style Shortcodes Plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:08.028Z

Reserved: 2025-01-07T21:05:54.010Z

Link: CVE-2025-22823

cve-icon Vulnrichment

Updated: 2025-01-10T20:19:27.980Z

cve-icon NVD

Status : Deferred

Published: 2025-01-09T16:16:32.717

Modified: 2026-06-17T08:50:21.547

Link: CVE-2025-22823

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:15:27Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')