Description
The WP Masonry & Infinite Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wmis' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing authenticated contributors to inject and execute arbitrary scripts on rendered pages
Action: Immediate Patch
AI Analysis

Impact

The WP Masonry & Infinite Scroll WordPress plugin contains a stored XSS vulnerability in its 'wmis' shortcode that fails to sanitize or escape user‑provided attributes. Authenticated users with contributor‑level permissions can insert malicious code which will run in the browsers of any visitor who loads a page containing the injected shortcode. This flaw can be exploited to deface sites, steal session cookies, or redirect users to malicious resources. The weakness is an instance of CWE‑79 and is limited to users who can create or edit content in the WordPress admin area.

Affected Systems

All installations of the WP Masonry & Infinite Scroll plugin up to and including version 2.2 are impacted. The plugin is authored by kaushik07 and distributed as a WordPress plugin. The vulnerability exists in every page that utilizes the vulnerable shortcode; no OS or PHP version specifics are required.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate impact with the potential for significant compromise of confidentiality through script execution. The EPSS score of <1% suggests a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector likely requires authenticated access to the WordPress backend, but the damage is user‑wide once the malicious script is rendered. Because the flaw is stored and not remote, an attacker must first obtain contributor or higher privileges to inject the code.

Generated by OpenCVE AI on April 21, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Masonry & Infinite Scroll plugin to the latest released version, ensuring that it is at least 2.3 or higher; the update removes the unsanitized shortcode handling.
  • If an update is unavailable, immediately delete any occurrences of the "wmis" shortcode from existing pages or replace it with a sanitized version that uses WordPress’s provided escaping functions.
  • Revoke contributor roles from users who do not require content creation privileges, or apply a role‑based access control rule that prevents contributors from adding shortcodes to posts, thereby limiting the ability to inject malicious content.

Generated by OpenCVE AI on April 21, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28573 The WP Masonry & Infinite Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wmis' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00029}

Fri, 11 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Kaushik07
Kaushik07 wp Masonry \& Infinite Scroll
CPEs cpe:2.3:a:kaushik07:wp_masonry_\&_infinite_scroll:*:*:*:*:*:wordpress:*:*
Vendors & Products Kaushik07
Kaushik07 wp Masonry \& Infinite Scroll

Thu, 26 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Jun 2025 02:15:00 +0000

Type Values Removed Values Added
Description The WP Masonry & Infinite Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wmis' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP Masonry & Infinite Scroll <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Kaushik07 Wp Masonry \& Infinite Scroll
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:48.201Z

Reserved: 2025-06-02T22:17:29.139Z

Link: CVE-2025-5488

cve-icon Vulnrichment

Updated: 2025-06-26T13:29:09.917Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-26T02:15:21.333

Modified: 2025-07-11T14:31:08.653

Link: CVE-2025-5488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:15:44Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')