Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maxpagels ShortCode shortcode allows Stored XSS.This issue affects ShortCode: from n/a through <= 0.8.1.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ShortCode plugin for WordPress does not properly neutralize user input, allowing attacker‑supplied data to be stored and later rendered as part of a web page. This stored input can contain malicious JavaScript, giving the attacker the ability to run code in the browsers of visitors. The vulnerability a classic Stored Cross‑Site Scripting flaw and is classified as CWE‑79.

Affected Systems

All WordPress sites using the maxpagels ShortCode plugin with a version of 0.8.1 or earlier are susceptible. The plugin injects improperly sanitized content into page output, making every user of the affected site a potential victim.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating moderate severity. The EPSS score of less than 1% suggests a low current probability of exploitation, and it is not catalogued in the CISA KEV list. Attacks would require an attacker to embed malicious code via the ShortCode feature, which is then stored and served to all site visitors—potentially enabling session hijacking, credential theft, or defacement of the site content.

Generated by OpenCVE AI on April 30, 2026 at 01:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a ShortCode plugin version newer than 0.8.1, or uninstall the plugin if no update is available.
  • Clear all caching layers, including in‑site cache and any CDN or reverse‑proxy cache, to remove residual malicious content from prior stored payloads.
  • Restrict use of the ShortCode plugin to trusted administrators only, or disable the plugin altogether if an update cannot be applied.

Generated by OpenCVE AI on April 30, 2026 at 01:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30599 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maxpagels ShortCode allows Stored XSS. This issue affects ShortCode: from n/a through 0.8.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maxpagels ShortCode allows Stored XSS. This issue affects ShortCode: from n/a through 0.8.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maxpagels ShortCode shortcode allows Stored XSS.This issue affects ShortCode: from n/a through <= 0.8.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 30 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maxpagels ShortCode allows Stored XSS. This issue affects ShortCode: from n/a through 0.8.1.
Title WordPress ShortCode Plugin <= 0.8.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:58:47.638Z

Reserved: 2025-08-22T11:37:50.459Z

Link: CVE-2025-58022

cve-icon Vulnrichment

Updated: 2025-09-30T17:16:53.613Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:04.523

Modified: 2026-04-23T15:33:15.263

Link: CVE-2025-58022

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:15:24Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')