CVE-2025-5541 - Vulnerability Details

- Runners Log <= 3.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Runners Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'runnerslog' shortcode in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-06-06

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Runners Log plugin for WordPress contains a stored cross‑site scripting flaw in its 'runnerslog' shortcode, caused by inadequate sanitization and escaping of user supplied attributes. The vulnerability allows an authenticated user with contributor-level or higher privileges to inject arbitrary JavaScript that is stored in the database and executed when any site visitor loads a page containing the shortcode. This can lead to defacement, session hijacking, and theft of sensitive information.

Affected Systems

All instances of the Runners Log plugin with a version number up to and including 3.9.2 are affected. The flaw impacts WordPress sites using this plugin and requires that the attacker has contributor or higher role access to insert the malicious shortcode into pages or posts that employ the runnerslog tag.

Risk and Exploitability

With a CVSS score of 6.4 the vulnerability is considered moderate. The EPSS score of less than 1% indicates that exploitation is currently unlikely, and the flaw is not listed in the CISA KEV catalog. An attacker requires valid contributor‑level credentials to create or edit content containing the shortcode; once an injection is stored, every visitor to that page will execute the injected code, making the attack straightforward once the privilege threshold is met.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

frold

Runners Log

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.9.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Runners Log plugin to the latest release, which removes the vulnerability.
If an upgrade is not immediately possible, delete or neutralize any pages or posts that include the runnerslog shortcode to eliminate the attack vector.
Restrict contributor and lower role access to editing pages that contain the shortcode and enforce proper role management to limit privilege levels.

Generated by OpenCVE AI on April 20, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-17070	The Runners Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'runnerslog' shortcode in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00164.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/runners-log/trunk/runnerslog_chart.php#L50
https://www.wordfence.com/threat-intel/vulnerabilities/id/cca53aba-b7dd-4b78-b2ac-c69050308e94?source=cve

History

Fri, 06 Jun 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Jun 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		The Runners Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'runnerslog' shortcode in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Runners Log <= 3.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/runners-log/trunk/runnerslog_chart.php#L50 https://www.wordfence.com/threat-intel/vulnerabilities/id/cca53aba-b7dd-4b78-b2ac-c69050308e94?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-06-06T06:42:53.938Z

Updated: 2026-04-08T17:23:48.880Z

Reserved: 2025-06-03T15:56:07.096Z

Link: CVE-2025-5541

Vulnrichment

Updated: 2025-06-06T15:42:20.945Z

NVD

Status : Deferred

Published: 2025-06-06T07:15:29.280

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5541

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T22:45:20Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object