Description
The WP SoundSystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsstm-track shortcode in all versions up to, and including, 3.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The WP SoundSystem plugin’s wpsstm‑track shortcode accepts user‑supplied attributes that are stored without proper sanitization or escaping. Based on the description, it is inferred that an attacker with contributor‑level or higher access can inject arbitrary JavaScript into these attributes. When a visitor loads any page that contains the injected shortcode, the malicious script runs in the visitor’s browser, potentially stealing credentials, defacing content, or performing other malicious actions. The vendor’s documentation does not specify exact confidentiality or integrity effects, but the ability to execute arbitrary code in users’ browsers is a clear security risk. This flaw is classified as CWE‑79.

Affected Systems

All sites running the WP SoundSystem WordPress plugin version 3.4.2 or earlier, developed by grosbouff, are susceptible. The vulnerability arises only when the wpsstm‑track shortcode is used within post or page content, so sites that do not employ that shortcode are not affected.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score of <1% suggests a very low likelihood of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires the attacker to have authenticated contributor or higher access to edit content containing the shortcode. Successful exploitation would cause the injected script to execute on every visit to the affected page, giving the attacker the ability to hijack user sessions or deface the site. Because the impact is limited to users who view the compromised content, the risk is mitigated by access controls but remains significant for sites with publicly accessible content.

Generated by OpenCVE AI on April 22, 2026 at 01:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP SoundSystem plugin to a version newer than 3.4.2, where the wpsstm‑track shortcode input is properly sanitized and escaped.
  • If an update cannot be applied immediately, locate any existing posts or pages that contain the wpsstm‑track shortcode and remove or comment out that instance to prevent script execution.
  • Restrict the ability to insert or edit the wpsstm‑track shortcode to users with administrator privileges only, or remove contributor role from users who do not need it.

Generated by OpenCVE AI on April 22, 2026 at 01:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28709 The WP SoundSystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsstm-track shortcode in all versions up to, and including, 3.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 26 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Jun 2025 02:15:00 +0000

Type Values Removed Values Added
Description The WP SoundSystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsstm-track shortcode in all versions up to, and including, 3.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP SoundSystem <= 3.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpsstm-track Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:12.349Z

Reserved: 2025-06-18T21:57:31.761Z

Link: CVE-2025-6258

cve-icon Vulnrichment

Updated: 2025-06-26T13:26:53.744Z

cve-icon NVD

Status : Deferred

Published: 2025-06-26T02:15:22.573

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:30:05Z

Weaknesses