CVE-2025-2803 - Vulnerability Details

- So-Called Air Quotes <= 0.1 - Unauthenticated Arbitrary Shortcode Execution

Description

The So-Called Air Quotes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Published: 2025-03-29

Score: 7.3 High

EPSS: 1.4% Low

KEV: No

Impact:

Action:

Analysis

Impact

The So‑Called Air Quotes WordPress plugin is susceptible to arbitrary shortcode execution in all releases up to version 0.1. The flaw arises because user‑supplied data is not validated before being passed to do_shortcode, allowing an attacker without authentication to execute any shortcode. This constitutes a code‑execution vulnerability (CWE‑94) that can lead to unauthorized data exposure, site defacement, or further compromise if the shortcode runs malicious code.

Affected Systems

WordPress sites that have the So‑Called Air Quotes plugin version 0.1 or earlier installed are affected. The vendor is davemacd and the product is So‑Called Air Quotes.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.3, indicating a high severity and a high impact on confidentiality and integrity. The EPSS score of 1% suggests that the probability of exploitation is low but not negligible, and it is not currently listed in CISA’s KEV catalog. The available information infers that unauthorized users can trigger the shortcode processing through a crafted HTTP request to the plugin’s shortcode endpoint, which makes the attack vector likely to be remote over the web. No authentication is required, so a widespread exploitation is theoretically possible if the plugin is widely deployed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

davemacd

So-Called Air Quotes

unaffected

Version	Status	Constraints
`0`	affected	≤ 0.1

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Remove or disable the So‑Called Air Quotes plugin on all WordPress installations until a secure version is released.
Check for and apply any available plugin updates that address the arbitrary shortcode execution flaw.
Restrict unauthenticated users from executing shortcodes by configuring your security plugin or web application firewall to block the do_shortcode function for non‑privileged roles.

Generated by OpenCVE AI on April 21, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-8676	The So-Called Air Quotes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0135.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.svn.wordpress.org/so-called-air-quotes/trunk/airquote.php
https://wordpress.org/plugins/so-called-air-quotes/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/83f2ceee-4422-4ed5-adc7-91bc022ae42d?source=cve

History

Mon, 31 Mar 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 29 Mar 2025 07:15:00 +0000

Type	Values Removed	Values Added
Description		The So-Called Air Quotes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Title		So-Called Air Quotes <= 0.1 - Unauthenticated Arbitrary Shortcode Execution
Weaknesses		CWE-94
References		https://plugins.svn.wordpress.org/so-called-air-quotes/trunk/airquote.php https://wordpress.org/plugins/so-called-air-quotes/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/83f2ceee-4422-4ed5-adc7-91bc022ae42d?source=cve
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-03-29T07:03:30.428Z

Updated: 2026-04-08T17:04:16.705Z

Reserved: 2025-03-25T21:32:09.084Z

Link: CVE-2025-2803

Vulnrichment

Updated: 2025-03-31T13:18:55.555Z

NVD

Status : Deferred

Published: 2025-03-29T07:15:18.770

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2803

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T21:45:25Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object