Description
The Partnerský systém Martinus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'martinus' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting with authenticated contributor-level access
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the Partnerský systém Martinus WordPress plugin, where the 'martinus' shortcode allows arbitrary script injection through user-supplied attributes. Because input is not properly sanitized and output is not escaped, an attacker with contributor-level or higher privileges can store malicious JavaScript that will execute whenever any visitor views the affected page. The impact is that an authenticated contributor can compromise the integrity of the website’s rendering process.

Affected Systems

The flaw is present in all releases of the Partnerský systém Martinus plugin up to and including version 1.7.1. The affected application is the WordPress plugin hosted by the vendor maxomatos. System administrators should verify whether this plugin is installed on their sites and whether its version is 1.7.1 or older.

Risk and Exploitability

The CVSS score of 6.4 reflects moderate severity. The EPSS score of less than 1% indicates that, as of the latest data, the probability of exploitation is low. Moreover, the vulnerability is not listed in the CISA KEV catalog, suggesting it has not been observed as a widely deployed exploit. The likely attack vector requires the attacker to be an authenticated contributor or higher, so the scope is limited to sites where contributor roles are granted. Once an attacker injects the payload, it is executed in the browsers of all visitors who load the compromised page.

Generated by OpenCVE AI on April 22, 2026 at 01:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Partnerský systém Martinus plugin to version 1.7.2 or later when available
  • Restrict contributor and lower privilege roles from using the 'martinus' shortcode or from editing content that may include it
  • Audit and remove any existing malicious scripts from posts or pages that contain the 'martinus' shortcode

Generated by OpenCVE AI on April 22, 2026 at 01:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21945 The Partnerský systém Martinus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'martinus' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 21 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 19 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Partnerský systém Martinus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'martinus' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Partnerský systém Martinus <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:41.924Z

Reserved: 2025-07-14T20:38:08.925Z

Link: CVE-2025-7661

cve-icon Vulnrichment

Updated: 2025-07-21T15:20:48.976Z

cve-icon NVD

Status : Deferred

Published: 2025-07-19T03:15:23.560

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses