Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iografica IG Shortcodes ig-shortcodes allows DOM-Based XSS.This issue affects IG Shortcodes: from n/a through <= 3.1.
Published: 2025-03-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that enables DOM‑based XSS in the iografica IG Shortcodes plugin. Malicious input can execute arbitrary JavaScript in a victim’s browser, potentially leading to session hijacking, data theft, or phishing attacks. The flaw resides in the plugin’s handling of shortcode parameters.

Affected Systems

Any WordPress site that has the iografica IG Shortcodes plugin installed with a version up to and including 3.1 is affected. The plugin is an add‑on for WordPress that allows users to embed Instagram shortcodes or similar content. Versions prior to 3.2 lack the necessary input sanitization.

Risk and Exploitability

With a CVSS score of 6.5, the vulnerability carries moderate severity. The EPSS score of <1% indicates a low probability of exploitation today, and the defect is not listed in the CISA KEV catalog. The likely attack vector is DOM‑based, typically via a crafted URL or form input that the plugin reflects without sanitization. An attacker does not need elevated privileges; any visitor can trigger the payload if they are directed to a vulnerable page.

Generated by OpenCVE AI on May 1, 2026 at 04:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iografica IG Shortcodes plugin to version 3.2 or later, which includes the necessary input sanitization.
  • If an upgrade is not immediately possible, remove or deactivate the IG Shortcodes plugin to eliminate the vulnerable code from the site.
  • As a temporary precaution, replace any unfiltered shortcode output with WordPress’s built‑in sanitization functions (e.g., wp_kses) to mitigate potential XSS before a patch is applied.

Generated by OpenCVE AI on May 1, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7921 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iografica IG Shortcodes allows DOM-Based XSS. This issue affects IG Shortcodes: from n/a through 3.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iografica IG Shortcodes allows DOM-Based XSS. This issue affects IG Shortcodes: from n/a through 3.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iografica IG Shortcodes ig-shortcodes allows DOM-Based XSS.This issue affects IG Shortcodes: from n/a through <= 3.1.
Title WordPress IG Shortcodes - <= <= 3.1 Cross Site Scripting (XSS) Vulnerability WordPress IG Shortcodes plugin <= 3.1 Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 25 Mar 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iografica IG Shortcodes allows DOM-Based XSS. This issue affects IG Shortcodes: from n/a through 3.1.
Title WordPress IG Shortcodes - <= <= 3.1 Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:55.219Z

Reserved: 2025-03-24T13:00:32.065Z

Link: CVE-2025-30597

cve-icon Vulnrichment

Updated: 2025-03-25T17:48:25.180Z

cve-icon NVD

Status : Deferred

Published: 2025-03-24T14:15:31.910

Modified: 2026-04-23T15:26:56.570

Link: CVE-2025-30597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:30:08Z

Weaknesses