CVE-2025-7648 - Vulnerability Details

- Ruven Themes: Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Ruven Themes: Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ruven_button' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-07-18

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Ruven Themes: Shortcodes plugin is vulnerable to stored cross‑site scripting through its ‘ruven_button’ shortcode. Unsanitized input attributes allow an authenticated contributor or higher to embed malicious scripts, which will then execute in the browsers of any user who visits a page containing the injected shortcode. This flaw can compromise the confidentiality and integrity of user data by enabling unauthorized script execution, and it can also be used to deface or hijack the site’s user interface.

Affected Systems

WordPress sites installing the Ruven Themes: Shortcodes plugin, versions 1.0 and earlier, are affected. The vulnerability exists in the default installation delivered by the plugin author "ruven-themes."

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate‑to‑high risk. An EPSS score of less than 1% suggests that, at present, exploitation is unlikely but not impossible, especially in targeted environments. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires the attacker to have contributor‑level access on the site or higher and to insert a malicious shortcode into a post or page. Once site visitors load the affected content, the injected script will run in their browsers.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ruven-themes

Ruven Themes: Shortcodes

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest official patch for Ruven Themes: Shortcodes (any version greater than 1.0) if one has been released.
If no patch is available, temporarily deactivate the plugin for users with contributor roles or remove the vulnerable shortcode from any existing content until a fix is released.
Implement a site‑wide Content Security Policy that blocks inline scripts to reduce the impact of any remaining XSS payloads until a permanent fix is applied.

Generated by OpenCVE AI on April 22, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-21844	The Ruven Themes: Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ruven_button' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00053.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://wordpress.org/plugins/ruven-themes-shortcodes/
https://www.wordfence.com/threat-intel/vulnerabilities/id/1794ef89-3949-44b4-9d42-80cd827ef730?source=cve

History

Fri, 18 Jul 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 18 Jul 2025 04:30:00 +0000

Type	Values Removed	Values Added
Description		The Ruven Themes: Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ruven_button' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Ruven Themes: Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses		CWE-79
References		https://wordpress.org/plugins/ruven-themes-shortcodes/ https://www.wordfence.com/threat-intel/vulnerabilities/id/1794ef89-3949-44b4-9d42-80cd827ef730?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-07-18T04:22:59.754Z

Updated: 2026-04-08T16:37:25.939Z

Reserved: 2025-07-14T17:23:18.810Z

Link: CVE-2025-7648

Vulnrichment

Updated: 2025-07-18T13:52:10.583Z

NVD

Status : Deferred

Published: 2025-07-18T05:15:32.533

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7648

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T14:45:19Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object