Description
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded image's 'Title' and 'Slide link' fields in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

The Shortcodes Ultimate plugin for WordPress is vulnerable because uploaded images are saved with their title and slide link fields without proper sanitization or escaping. An authenticated author or higher user can inject arbitrary JavaScript into these fields, and when a visitor later views a page containing the affected image, the script executes in that visitor’s browser. This flaw is a classic example of CWE‑79, potentially leading to defacement, credential theft, or further session compromise.

Affected Systems

WP Shortcodes Plugin – Shortcodes Ultimate, all releases up to and including version 7.4.2. The issue resides solely in the plugin code and applies to any WordPress installation using those versions.

Risk and Exploitability

The CVSS score of 6.4 denotes medium severity, while an EPSS score of less than 1% indicates a very low current exploitation likelihood. The flaw is not listed in CISA’s KEV catalog. Because the attack requires authenticated author or higher access, the attack surface is limited to users who can upload or edit media within the WordPress site. Once injection succeeds, any visitor who views the affected media is exposed to the malicious script.

Generated by OpenCVE AI on April 20, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Shortcodes Ultimate to the latest released version that contains the fix for the XSS vulnerability
  • If an immediate upgrade is not feasible, restrict or sanitize the image title and slide link fields to allow only safe characters or remove them entirely from media metadata
  • Apply role‑based access control so that only trusted users have permission to upload or edit media, reducing the number of potential attackers

Generated by OpenCVE AI on April 20, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22329 The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded image's 'Title' and 'Slide link' fields in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 22 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
Description The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded image's 'Title' and 'Slide link' fields in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Shortcodes Ultimate <= 7.4.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Title and Slide Link
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:23.978Z

Reserved: 2025-07-22T01:57:43.321Z

Link: CVE-2025-8015

cve-icon Vulnrichment

Updated: 2025-07-22T14:55:38.253Z

cve-icon NVD

Status : Deferred

Published: 2025-07-22T15:15:42.113

Modified: 2026-06-17T10:06:08.770

Link: CVE-2025-8015

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:15:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')