Description
The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'smartdocs_search' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-04
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting that may run arbitrary scripts in browsers of any user who views the affected page
Action: Apply Patch
AI Analysis

Impact

The Smart Docs WordPress plugin suffers from a stored cross‑site scripting flaw in versions 1.1.0 and earlier. Insufficient sanitization of attributes passed to the 'smartdocs_search' shortcode allows an authenticated user with contributor or higher privileges to embed malicious scripts. When a targeted page is viewed, the injected code executes in the visitor’s browser, enabling session theft, defacement, or data exfiltration.

Affected Systems

This vulnerability affects the Smart Docs plugin from ibachal, available on WordPress. All WordPress installations running Smart Docs 1.1.0 or earlier are susceptible. The plugin version information indicates community‑released plugin versions; any site that has installed the vulnerable plugin—regardless of WordPress core version—is at risk.

Risk and Exploitability

The CVSS score of 6.4 designates moderate severity. The EPSS score below 1% suggests a very low probability of exploitation. The vulnerability is not listed in CISA KEV. Exploitation requires an authenticated contributor or higher, so only users with that role can inject the malicious code. Attackers may embed scripts that run when other site visitors load the affected pages, but collateral damage is limited to the victim’s browser session. Because the flaw is owner‑controlled content and requires legitimate login, the attack surface is constrained, though any compromised contributor account becomes a vector.

Generated by OpenCVE AI on April 21, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Smart Docs to the latest release that addresses the stored XSS issue (versions greater than 1.1.0).
  • If an upgrade cannot be performed immediately, remove or disable all instances of the 'smartdocs_search' shortcode from existing content or use a content filter to block its output.
  • Implement a Web Application Firewall or rule set that sanitizes user input for the shortcode parameters, preventing script injection; ensure output escaping is enforced.

Generated by OpenCVE AI on April 21, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19918 The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'smartdocs_search' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Wed, 09 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Archalj
Archalj smart Docs
CPEs cpe:2.3:a:archalj:smart_docs:*:*:*:*:*:wordpress:*:*
Vendors & Products Archalj
Archalj smart Docs

Tue, 08 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'smartdocs_search' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Smart Docs <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Archalj Smart Docs
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:25.806Z

Reserved: 2025-06-27T12:51:53.444Z

Link: CVE-2025-6787

cve-icon Vulnrichment

Updated: 2025-07-08T14:10:38.424Z

cve-icon NVD

Status : Modified

Published: 2025-07-04T03:15:23.403

Modified: 2026-04-08T18:25:07.203

Link: CVE-2025-6787

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses