Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rescue Themes Rescue Shortcodes allows Stored XSS.This issue affects Rescue Shortcodes: from n/a through 3.3.
Published: 2026-04-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in the Rescue Shortcodes plugin
Action: Immediate Patch
AI Analysis

Impact

Rescue Shortcodes allows attackers to inject malicious JavaScript into pages stored by the plugin. The improper neutralization of input during page generation is a stored cross‑site scripting condition (CWE‑79). Attackers could execute scripts in the browsers of anyone who views the affected content, potentially stealing credentials, session cookies, or injecting further malicious content. The likely attack vector is through the plugin’s shortcode interface, where an attacker can submit malicious content that is then rendered to all visitors without proper encoding, although this inference is based on the available description.

Affected Systems

The vulnerability affects the Rescue Themes Rescue Shortcodes plugin from its earliest releases up through version 3.3. All WordPress installations that employ any version within this range are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of < 1 % suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalogue. Attackers can exploit the flaw by submitting malicious content through the plugin’s shortcode interface, which is then stored and rendered to all visitors without proper encoding.

Generated by OpenCVE AI on April 28, 2026 at 23:51 UTC.

Remediation

Vendor Solution

Update the WordPress Rescue Shortcodes Plugin to the latest available version (at least 3.4).

OpenCVE Recommended Actions

  • Update the WordPress Rescue Shortcodes plugin to version 3.4 or later
  • Audit all content that uses the plugin and sanitize or remove any that may contain unsanitized data
  • If a patch cannot be applied immediately, disable or delete the plugin until the update is available

Generated by OpenCVE AI on April 28, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Rescuethemes
Rescuethemes rescue Shortcodes
Wordpress
Wordpress wordpress
Vendors & Products Rescuethemes
Rescuethemes rescue Shortcodes
Wordpress
Wordpress wordpress

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rescue Themes Rescue Shortcodes allows Stored XSS.This issue affects Rescue Shortcodes: from n/a through 3.3.
Title WordPress Rescue Shortcodes plugin <= 3.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Rescuethemes Rescue Shortcodes
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:01.755Z

Reserved: 2025-10-07T15:41:20.865Z

Link: CVE-2025-62110

cve-icon Vulnrichment

Updated: 2026-04-23T13:42:13.693Z

cve-icon NVD

Status : Deferred

Published: 2026-04-23T12:17:01.363

Modified: 2026-04-23T14:28:55.557

Link: CVE-2025-62110

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:00:13Z

Weaknesses