Description
The ShortcodeHub plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author_link_target’ parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-23
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (CWE‑79)
Action: Patch
AI Analysis

Impact

The ShortcodeHub WordPress plugin accepts an author_link_target parameter that is not properly sanitized or escaped. When a user with Contributor privileges or higher updates a shortcode containing this parameter, malicious JavaScript can be stored in the site database. Whenever another visitor views the affected page, the stored script is rendered and executed in the visitor’s browser. The resulting persistent cross‑site scripting allows the attacker to run arbitrary client‑side code whenever the page is accessed, potentially revealing sensitive information or enabling session hijacking; however, this specific misuse is inferred from the nature of the flaw and not explicitly stated in the description.

Affected Systems

This issue impacts all versions of the ShortcodeHub – MultiPurpose Shortcode Builder plugin produced by surror that are 1.7.1 or earlier. The plugin is distributed as a standard WordPress plugin and is commonly used on sites that require advanced shortcode functionality.

Risk and Exploitability

The CVSS score of 6.4 classifies the vulnerability as moderate severity, while the EPSS score of less than 1% indicates a very low probability of real‑world exploitation at present. The flaw requires authenticated access with Contributor level or higher, so the attack vector is most likely an insider or a compromised user account rather than an unauthenticated attacker. The vulnerability is not listed in the CISA KEV catalog, further reducing the perceived urgency.

Generated by OpenCVE AI on April 20, 2026 at 21:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ShortcodeHub plugin to its latest release, which removes the XSS vulnerability.
  • If a newer release is unavailable, uninstall the ShortcodeHub plugin from the WordPress site to eliminate the stored‑script vector.
  • Modify Contributor role capabilities so that contributors cannot edit shortcode parameters that may contain JavaScript, thereby limiting the ability to inject malicious content.

Generated by OpenCVE AI on April 20, 2026 at 21:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25698 The ShortcodeHub plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author_link_target’ parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 25 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 23 Aug 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 23 Aug 2025 04:30:00 +0000

Type Values Removed Values Added
Description The ShortcodeHub plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author_link_target’ parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ShortcodeHub <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via author_link_target Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:58.811Z

Reserved: 2025-07-21T13:20:20.335Z

Link: CVE-2025-7957

cve-icon Vulnrichment

Updated: 2025-08-25T14:40:21.669Z

cve-icon NVD

Status : Deferred

Published: 2025-08-23T05:15:33.460

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7957

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses