Description
The VerticalResponse Newsletter Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'verticalresponse' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-03
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch immediately
AI Analysis

Impact

The VerticalResponse Newsletter Widget plugin for WordPress contains a stored cross‑site scripting flaw that allows an attacker to inject arbitrary JavaScript via the plugin’s shortcode. When an attacker supplies malicious attributes, the plugin fails to sanitize and escape the input, so the script is embedded and executed on any page containing the shortcode. The weakness is categorized as CWE‑79 and is only exploitable by authenticated users with contributor‑level permissions or higher.

Affected Systems

Katzweb Design’s VerticalResponse Newsletter Widget plugin is affected in all releases up to and including version 1.6. WordPress sites that install or embed these plugin versions are potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of < 1 % suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog, reducing immediate threat visibility, but because it requires only contributor‑level access, many sites with such roles are at risk. An attacker would first authenticate, then craft a malicious shortcode that stores the payload, which will execute whenever a page displaying the shortcode is viewed, allowing widespread script injection.

Generated by OpenCVE AI on April 28, 2026 at 02:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the VerticalResponse Newsletter Widget plugin to the latest version (1.7 or newer) to eliminate the vulnerability.
  • Disable or remove the plugin’s shortcode from any pages that do not require it to prevent accidental storage of malicious scripts.
  • Restrict contributor‑level access or remove the ability to edit or embed shortcodes on public pages, ensuring that only trusted administrators can add or modify shortcode content.

Generated by OpenCVE AI on April 28, 2026 at 02:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13316 The VerticalResponse Newsletter Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'verticalresponse' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 05 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 03 May 2025 02:30:00 +0000

Type Values Removed Values Added
Description The VerticalResponse Newsletter Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'verticalresponse' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title VerticalResponse Newsletter Widget <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:22.922Z

Reserved: 2025-05-01T12:21:57.061Z

Link: CVE-2025-4172

cve-icon Vulnrichment

Updated: 2025-05-05T14:40:52.668Z

cve-icon NVD

Status : Deferred

Published: 2025-05-03T03:15:28.640

Modified: 2026-06-17T09:32:41.823

Link: CVE-2025-4172

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T02:15:18Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')