Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Philip John Author Bio Shortcode author-bio-shortcode allows Stored XSS.This issue affects Author Bio Shortcode: from n/a through <= 2.5.3.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Author Bio Shortcode plugin suffers from improper neutralization of user input during page generation, allowing malicious JavaScript to be stored in the author bio field and executed every time the bio is rendered. This stored Cross‑Site Scripting can be used to inject scripts that run in visitors' browsers, potentially enabling defacement, phishing, or other client‑side attacks. The description does not enumerate specific attacker outcomes, so the impact is limited to the execution of injected scripts within the context of the site."

Affected Systems

WordPress sites that use Philip John’s Author Bio Shortcode plugin in versions up through 2.5.3 are affected. Sites where author metadata are editable by users and the plugin is active are at risk of exploitation."

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to edit or create author bio content, which is commonly granted to non‑administrator roles in WordPress installations. Based on the description, this requirement is inferred from the need to introduce malicious input into the bio field."

Generated by OpenCVE AI on May 2, 2026 at 02:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Author Bio Shortcode plugin to the latest available version (2.5.4 or later), which includes proper input sanitization.
  • If an update is not possible, remove or deactivate the plugin to eliminate the stored XSS vector.
  • When the plugin is retained, review its code to confirm that WordPress' escaping functions (such as esc_html() or wp_kses_post()) are applied to the bio field before output, and limit editing rights to trusted administrator users.

Generated by OpenCVE AI on May 2, 2026 at 02:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9291 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Philip John Author Bio Shortcode allows Stored XSS. This issue affects Author Bio Shortcode: from n/a through 2.5.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Philip John Author Bio Shortcode allows Stored XSS. This issue affects Author Bio Shortcode: from n/a through 2.5.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Philip John Author Bio Shortcode author-bio-shortcode allows Stored XSS.This issue affects Author Bio Shortcode: from n/a through <= 2.5.3.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 02 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Philip John Author Bio Shortcode allows Stored XSS. This issue affects Author Bio Shortcode: from n/a through 2.5.3.
Title WordPress Author Bio Shortcode Plugin <= 2.5.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:11.275Z

Reserved: 2025-04-01T13:18:48.161Z

Link: CVE-2025-31731

cve-icon Vulnrichment

Updated: 2025-04-02T15:49:54.765Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:09.010

Modified: 2026-04-23T15:28:08.327

Link: CVE-2025-31731

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:00:13Z

Weaknesses