Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Shortcodes themify-shortcodes allows Stored XSS.This issue affects Themify Shortcodes: from n/a through <= 2.1.3.
Published: 2025-04-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a stored cross‑site scripting flaw caused by the Themify Shortcodes plugin not properly neutralizing user input when generating web pages. A malicious user can embed arbitrary HTML or JavaScript that is then rendered in other users’ browsers. Depending on the victim’s account privileges, an attacker could steal session cookies, perform phishing attacks, or unduly manipulate site content. The weakness is categorized as CWES-79 (Improper Neutralization of Input).

Affected Systems

The issue affects the Themify Shortcodes plugin from older than version 2.1.4 down to and including 2.1.3. No modern releases beyond 2.1.3 have been identified as vulnerable. The plugin is provided by the vendor Themifyme.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of < 1% shows that exploitation chances are currently low. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector involves a user interacting with content that includes the vulnerable shortcode, or an attacker inserting malicious input into the shortcode via the WordPress admin interface. Exploitation requires the target’s browser to load the vulnerable page, which is typical for XSS attacks.

Generated by OpenCVE AI on April 30, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Themify Shortcodes to version 2.1.4 or later.
  • If an upgrade is not feasible, disable or remove the Themify Shortcodes plugin entirely.
  • Implement site‑wide input sanitization or use a security plugin that enforces output escaping for shortcodes.

Generated by OpenCVE AI on April 30, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11304 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Shortcodes allows Stored XSS. This issue affects Themify Shortcodes: from n/a through 2.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Shortcodes allows Stored XSS. This issue affects Themify Shortcodes: from n/a through 2.1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Shortcodes themify-shortcodes allows Stored XSS.This issue affects Themify Shortcodes: from n/a through <= 2.1.3.
Title WordPress Themify Shortcodes <= 2.1.3 - Cross Site Scripting (XSS) Vulnerability WordPress Themify Shortcodes plugin <= 2.1.3 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Apr 2025 12:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Shortcodes allows Stored XSS. This issue affects Themify Shortcodes: from n/a through 2.1.3.
Title WordPress Themify Shortcodes <= 2.1.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:35.171Z

Reserved: 2025-04-16T06:26:44.221Z

Link: CVE-2025-39581

cve-icon Vulnrichment

Updated: 2025-04-16T14:22:26.235Z

cve-icon NVD

Status : Deferred

Published: 2025-04-16T13:15:50.830

Modified: 2026-04-23T15:29:49.803

Link: CVE-2025-39581

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T23:00:04Z

Weaknesses