Description
The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page.
Published: 2025-05-15
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Assess Impact
AI Analysis

Impact

The EG‑Series WordPress plugin contains a stored cross‑site scripting flaw in its [series] shortcode. The shortcode accepts a "titletag" attribute that is not properly sanitized or escaped. An attacker who can authenticate with contributor‑level access or higher can embed arbitrary JavaScript into that attribute. When a page containing the injected shortcode is viewed, the malicious script executes in the victim’s browser context.

Affected Systems

Any WordPress site running the EG‑Series plugin version 2.1.1 or earlier is vulnerable, provided the Classic Editor plugin is active. The Classic Editor allows contributors to add or edit content, so sites where contributors have page‑editing rights and the Classic Editor is enabled are at risk. The vulnerability is specific to the EG‑Series product by emmanuelg.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation in the short term. Attackers must first authenticate to the WordPress site with at least contributor privileges; the flaw is not remotely exploitable without authentication. The issue is not listed in the CISA KEV catalog, so it is not known to be actively exploited in the wild. Overall risk is moderate, contingent on the presence of a compromised contributor account and the Classic Editor plugin.

Generated by OpenCVE AI on April 21, 2026 at 20:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EG‑Series to the latest version that addresses the XSS flaw.
  • If a patch is not yet available, remove or restrict the [series] shortcode from publicly accessible content, or configure it to be used only by trusted authors.
  • Disable the Classic Editor plugin if it is not required, or constrain contributor roles so they cannot edit pages that could contain the shortcode.
  • Apply proper input validation and output escaping to any custom shortcodes you develop, following WordPress best practices.

Generated by OpenCVE AI on April 21, 2026 at 20:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14952 The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page.
History

Thu, 15 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 May 2025 03:45:00 +0000

Type Values Removed Values Added
Description The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page.
Title EG-Series <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:33.136Z

Reserved: 2025-04-30T07:41:32.308Z

Link: CVE-2025-4126

cve-icon Vulnrichment

Updated: 2025-05-15T14:10:53.112Z

cve-icon NVD

Status : Deferred

Published: 2025-05-15T04:16:17.283

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:00:35Z

Weaknesses