Description
The Temporarily Hidden Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'temphc-start' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows arbitrary script execution in browsers of users viewing injected content
Action: Patch Now
AI Analysis

Impact

The Temporarily Hidden Content plugin for WordPress contains a stored cross‑site scripting vulnerability in its temphc‑start shortcode. Because the plugin does not properly sanitize or escape user‑supplied attributes, an attacker who can log into the site with contributor level or higher can inject malicious JavaScript that is stored in the post content. When any user, including administrators, opens the page, the injected script runs in their browser, potentially stealing credentials, defacing content, or hijacking sessions.

Affected Systems

This flaw affects the WordPress plugin Temporarily Hidden Content developed by codents, in all releases up to and including version 1.0.6. No other vendors are listed, and the advisory does not specify additional impacted components.

Risk and Exploitability

The CVSS score of 6.4 reflects a moderate risk, while the EPSS of less than 1 % indicates a low but non‑zero chance of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must possess contributor‑level or higher privileges to abuse the weakness, typically by inserting dangerous attributes into the temphc‑start shortcode. The stored payload then executes in any browser that loads the affected page, making the threat both persistent and widely visible among site users.

Generated by OpenCVE AI on April 21, 2026 at 03:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Temporarily Hidden Content plugin to a version newer than 1.0.6, or uninstall the plugin if it is no longer required.
  • Remove or downgrade any contributor‑level accounts until the plugin is updated, or enforce stricter role permissions to limit shortcode usage.
  • Audit existing posts and pages containing the temphc‑start shortcode and cleanse or delete any content with suspicious script attributes that could be injected by an attacker.

Generated by OpenCVE AI on April 21, 2026 at 03:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21944 The Temporarily Hidden Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'temphc-start' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 21 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 19 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Temporarily Hidden Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'temphc-start' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Temporarily Hidden Content <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:17.412Z

Reserved: 2025-07-14T20:29:53.582Z

Link: CVE-2025-7658

cve-icon Vulnrichment

Updated: 2025-07-21T17:00:28.496Z

cve-icon NVD

Status : Deferred

Published: 2025-07-19T03:15:23.397

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7658

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses