Description
The Structured Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_fs_local_business shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Apply Patch
AI Analysis

Impact

The Structured Content plugin for WordPress contains a stored cross‑site scripting flaw that is triggered when a contributor or higher user inserts the sc_fs_local_business shortcode with malicious attribute values. Because the plugin does not sanitize or escape these attributes, the injected script is persisted in the post content and executed in the browser of any visitor that loads the page. This allows the attacker to deface the site, steal authentication cookies, or execute additional malicious payloads in the context of site visitors.

Affected Systems

The vulnerability affects the Structured Content (JSON‑LD) WordPress plugin, provided by gorbo, in all releases up to and including version 1.6.4. Users who have enabled the sc_fs_local_business shortcode on their sites and have granted contributor or higher roles are exposed.

Risk and Exploitability

The issue carries a CVSS score of 6.4, indicating moderate severity, and an EPSS of less than 1 %, suggesting it is unlikely to be widely exploited. It is not listed in the CISA KEV catalog. Attackers need authenticated access with a contributor or higher role, so the threat is limited to sites where such permissions are granted. Once exploited, the vulnerability can lead to site defacement or the execution of arbitrary scripts in the browsers of site visitors.

Generated by OpenCVE AI on April 20, 2026 at 22:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Structured Content plugin to version 1.6.5 or later, where the sc_fs_local_business shortcode input is properly sanitized and escaped.
  • If an upgrade is not immediately possible, disable or remove the sc_fs_local_business shortcode from all pages and disable its use for contributor users.
  • Restrict the Contributor role or apply additional role‑based permissions to prevent contributors from adding shortcodes until a patch is applied.

Generated by OpenCVE AI on April 20, 2026 at 22:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22495 The Structured Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_fs_local_business shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 24 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Structured Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_fs_local_business shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Structured Content <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via sc_fs_local_business Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:40.105Z

Reserved: 2025-05-12T20:00:42.686Z

Link: CVE-2025-4608

cve-icon Vulnrichment

Updated: 2025-07-24T13:13:50.248Z

cve-icon NVD

Status : Deferred

Published: 2025-07-24T10:15:26.483

Modified: 2026-06-17T09:33:37.120

Link: CVE-2025-4608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:15:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')