Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JS Morisset JSM file_get_contents() Shortcode wp-file-get-contents allows Stored XSS.This issue affects JSM file_get_contents() Shortcode: from n/a through <= 2.7.1.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows attackers to store malicious scripts in content processed by the JSM file_get_contents() Shortcode. When a victim views the affected page, the injected script runs in their browser, potentially enabling cookie theft, session hijacking, or other client‑side attacks. The weakness is an example of CWE‑79. This vulnerability can compromise the confidentiality and integrity of user data and compromise the use of the website.

Affected Systems

The vulnerability affects the WordPress plugin JSM file_get_contents() Shortcode by JS Morisset. All installations running version 2.7.1 or earlier are impacted. No specific sub‑component of the plugin is listed, so the entire plugin range up to 2.7.1 is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. The EPSS score is less than 1 percent, suggesting a very low likelihood of exploitation in the wild at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via the plugin’s shortcode mechanism, where an attacker can embed malicious payloads into stored content that will later be rendered on the site. No additional access or privilege prerequisites are mentioned, implying that the vulnerability may be exploitable by any user who can submit content processed by the plugin.

Generated by OpenCVE AI on April 30, 2026 at 01:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the JSM file_get_contents() Shortcode plugin to the latest available version, which removes the vulnerable input handling.
  • If an updated version is not available, deactivate or uninstall the plugin to eliminate the XSS vector from the site.
  • Review all existing content that may have used the plugin’s file_get_contents() shortcode and remove or sanitize any stored malicious payloads.

Generated by OpenCVE AI on April 30, 2026 at 01:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30538 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JS Morisset JSM file_get_contents() Shortcode allows Stored XSS. This issue affects JSM file_get_contents() Shortcode: from n/a through 2.7.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JS Morisset JSM file_get_contents() Shortcode allows Stored XSS. This issue affects JSM file_get_contents() Shortcode: from n/a through 2.7.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JS Morisset JSM file_get_contents() Shortcode wp-file-get-contents allows Stored XSS.This issue affects JSM file_get_contents() Shortcode: from n/a through <= 2.7.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Js Morisset
Js Morisset jsm Shortcode
Wordpress
Wordpress wordpress
Vendors & Products Js Morisset
Js Morisset jsm Shortcode
Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JS Morisset JSM file_get_contents() Shortcode allows Stored XSS. This issue affects JSM file_get_contents() Shortcode: from n/a through 2.7.1.
Title WordPress JSM file_get_contents() Shortcode Plugin <= 2.7.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Js Morisset Jsm Shortcode
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:54:51.178Z

Reserved: 2025-09-03T09:03:29.730Z

Link: CVE-2025-58653

cve-icon Vulnrichment

Updated: 2025-09-23T16:00:59.588Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:15.427

Modified: 2026-04-23T15:33:31.977

Link: CVE-2025-58653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:45:06Z

Weaknesses