CVE-2025-7354 - Vulnerability Details

- WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes

Description

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-07-21

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WP Shortcodes Plugin — Shortcodes Ultimate is affected by a Stored Cross‑Site Scripting flaw (CWE‑79) that arises from insufficient input sanitization and output escaping on user‑supplied shortcode attributes. An attacker with contributor‑level or higher WordPress permissions can embed arbitrary scripts that are stored and subsequently rendered when any site visitor accesses a page containing the injected shortcode. This issue permits malicious code execution in the context of the site, enabling credential theft, session hijacking or site defacement.

Affected Systems

The vulnerability impacts the WP Shortcodes Plugin — Shortcodes Ultimate developed by gn_themes. All installed versions up to and including 7.4.2 are affected; newer releases are presumed patched. The flaw persists across all WordPress sites that rely on this plugin and have contributors with editing privileges.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS of less than 1% suggests a low probability of exploitation. Because the flaw requires authenticated access at contributor level or higher, the effective attack surface is limited to sites where such roles exist. The attack is relatively straightforward: an attacker creates or edits a post or page, inserts a malicious shortcode that injects script, and then any visitor triggers execution. Though the likelihood is low, the potential damage—such as credential theft or defacement—makes it a significant concern for sites with high‑traffic user bases.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

gn_themes

WP Shortcodes Plugin — Shortcodes Ultimate

unaffected

Version	Status	Constraints
`0`	affected	≤ 7.4.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the WP Shortcodes Plugin — Shortcodes Ultimate to the latest available version that contains the XSS fix.
If an update is not yet available, temporarily disable or remove the vulnerable shortcode attributes or the entire shortcode functionality for contributors, limiting the ability to inject scripts.
Enforce strict sanitization of all shortcode attributes by applying WordPress’s built‑in validation and encoding functions, or by setting the plugin’s configuration to escape output automatically.

Generated by OpenCVE AI on April 21, 2026 at 03:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-22051	The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00082.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.2/includes/shortcodes/button.php#L408
https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.2/includes/shortcodes/expand.php#L130
https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.2/includes/shortcodes/members.php#L79
https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.2/includes/shortcodes/post.php#L116
https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.2/includes/shortcodes/user.php#L95
https://plugins.trac.wordpress.org/changeset/3328729/
https://www.wordfence.com/threat-intel/vulnerabilities/id/62d32cda-bb6d-4ffa-82b9-f2f6e8d4346f?source=cve

History

Mon, 21 Jul 2025 11:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 21 Jul 2025 07:45:00 +0000

Type	Values Removed	Values Added
Description		The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.2/includes/shortcodes/button.php#L408 https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.2/includes/shortcodes/expand.php#L130 https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.2/includes/shortcodes/members.php#L79 https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.2/includes/shortcodes/post.php#L116 https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.2/includes/shortcodes/user.php#L95 https://plugins.trac.wordpress.org/changeset/3328729/ https://www.wordfence.com/threat-intel/vulnerabilities/id/62d32cda-bb6d-4ffa-82b9-f2f6e8d4346f?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-07-21T07:23:25.369Z

Updated: 2026-04-08T16:57:09.946Z

Reserved: 2025-07-08T12:28:22.432Z

Link: CVE-2025-7354

Vulnrichment

Updated: 2025-07-21T11:07:50.000Z

NVD

Status : Deferred

Published: 2025-07-21T08:15:24.733

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7354

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object