Description
The azurecurve Shortcodes in Comments plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Published: 2025-04-10
Score: 7.3 High
EPSS: 1.4% Low
KEV: No
Impact: Arbitrary Code Execution via WordPress plugin
Action: Immediate Patch
AI Analysis

Impact

The azurecurve Shortcodes in Comments plugin allows an attacker to execute any shortcode string submitted through a comment, because the input is passed to do_shortcode without proper validation. This flaw enables unauthenticated users to run arbitrary code within the context of the WordPress site, potentially leading to full site compromise, data theft, or defacement.

Affected Systems

WordPress sites that have the azurecurve Shortcodes in Comments plugin installed with a version up to and including 2.0.2 are affected. No other products or versions are listed as impacted.

Risk and Exploitability

The vulnerability scores a CVSS of 7.3, indicating high severity, and an EPSS of 1%, showing it is considered a realistic exploitation candidate. It is not listed in the CISA KEV catalog. The attack vector is unauthenticated comment submission, meaning any visitor can exploit the flaw without needing privileged access.

Generated by OpenCVE AI on April 22, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the azurecurve Shortcodes in Comments plugin to a version newer than 2.0.2, which contains the patch that validates shortcode input before execution.
  • If an update cannot be applied immediately, completely remove or deactivate the plugin to eliminate the attack surface, or configure WordPress to disallow the use of shortcodes in comments via the ‘comment_pre_comment’ filter or a custom code snippet.
  • After removal or update, review the comment system to ensure no other plugins or custom code reintroduce the same vulnerability by inserting unvalidated shortcode data into the comment content.

Generated by OpenCVE AI on April 22, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10471 The azurecurve Shortcodes in Comments plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
History

Thu, 10 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 10 Apr 2025 07:15:00 +0000

Type Values Removed Values Added
Description The azurecurve Shortcodes in Comments plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Title azurecurve Shortcodes in Comments <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:47.218Z

Reserved: 2025-03-25T22:17:37.469Z

Link: CVE-2025-2809

cve-icon Vulnrichment

Updated: 2025-04-10T13:38:32.878Z

cve-icon NVD

Status : Deferred

Published: 2025-04-10T07:15:41.873

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:45:22Z

Weaknesses