CVE-2025-49244
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-06

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vova Shortcodes Ultimate shortcodes-ultimate allows Stored XSS.This issue affects Shortcodes Ultimate: from n/a through <= 7.3.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-06
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2025-06-06
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49244
EUVD
EUVD-2025-17289
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-49244 is a Cross Site Scripting (XSS) vulnerability in the WordPress Shortcodes Ultimate plugin (versions up to 7.3.5). It allows a malicious user with contributor-level access to inject malicious scripts into a website. These scripts can execute when visitors access the site, potentially causing redirects, displaying unwanted advertisements, or other harmful HTML payloads. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to execute malicious scripts on your website, which can lead to unauthorized redirects, display of unwanted content, or other malicious actions affecting your site's visitors. It may also compromise the integrity and trustworthiness of your website. However, the impact is considered low severity with a CVSS score of 6.5, and exploitation likelihood is low. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves checking if your WordPress site is running the Shortcodes Ultimate plugin version 7.3.5 or earlier. Since the vulnerability allows stored XSS via contributor-level privileges, monitoring for unusual script injections or unexpected HTML payloads in posts or pages can help. However, plugin-based malware scanners may be unreliable for this issue. There are no specific commands provided to detect this vulnerability on your system or network. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to update the Shortcodes Ultimate plugin to version 7.4.0 or later, where the vulnerability is fixed. Additionally, Patchstack offers virtual patching (vPatching) to auto-mitigate this and other vulnerabilities before official patches are applied. If you suspect your site has been compromised, seek professional incident response assistance. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart