CVE-2025-49855
BaseFortify
Publication date: 2025-06-17
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) issue in the Meks Flexible Shortcodes WordPress plugin versions up to 1.3.7. It allows an attacker with contributor-level privileges to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into a website. These scripts execute when visitors access the site, potentially compromising the site's integrity and user experience. [1]
How can this vulnerability impact me? :
The vulnerability can allow attackers to inject malicious scripts that execute in visitors' browsers, which can lead to unwanted redirects, display of unauthorized advertisements, or other harmful actions. This can damage the website's reputation, degrade user trust, and potentially lead to further exploitation. However, the vulnerability is considered low severity and unlikely to be widely exploited. It requires contributor-level access to exploit. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking the version of the Meks Flexible Shortcodes plugin installed on your WordPress site. If the version is 1.3.7 or earlier, it is vulnerable. You can detect the plugin version by running the following command in your WordPress installation directory: `wp plugin list | grep meks-flexible-shortcodes`. Additionally, monitoring for unusual script injections or unexpected redirects in your website's pages may indicate exploitation attempts. For more advanced detection, consider using server-side malware scanning or professional incident response services, as plugin-based malware scanners may be unreliable if compromised. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Meks Flexible Shortcodes plugin to version 1.3.8 or later, where the vulnerability is fixed. If updating immediately is not possible, applying virtual patching (vPatching) provided by Patchstack can auto-mitigate the vulnerability without performance loss. Additionally, restrict contributor-level privileges to trusted users only, as exploitation requires such privileges. In case of suspected compromise, seek professional incident response or perform server-side malware scanning. [1]