CVE-2025-7354
BaseFortify
Publication date: 2025-07-21
Last updated on: 2025-07-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | shortcodes_ultimate | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WP Shortcodes Plugin β Shortcodes Ultimate for WordPress, affecting all versions up to and including 7.4.2. It occurs because the plugin does not properly sanitize and escape user-supplied attributes in its shortcodes. As a result, authenticated users with contributor-level access or higher can inject malicious scripts into pages. These scripts then execute whenever any user views the infected page, potentially compromising user data or site integrity.
How can this vulnerability impact me? :
The vulnerability allows attackers with contributor-level access or above to inject arbitrary JavaScript code into WordPress pages via shortcode attributes. This can lead to malicious script execution in the browsers of users who visit the affected pages. Potential impacts include theft of user credentials, session hijacking, defacement, or other malicious actions performed on behalf of the victim user. Since the attack is stored, the malicious code persists and affects all visitors to the compromised content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via shortcode attributes in the WP Shortcodes Ultimate plugin up to version 7.4.2. Detection can be performed by scanning WordPress posts or pages for injected malicious scripts within shortcode attributes, especially those accessible by contributor-level users or above. Since the vulnerability allows injection of arbitrary scripts in shortcode attributes, you can search the WordPress database for suspicious shortcode usage containing script tags or event handlers. For example, you can run SQL queries on the WordPress database to find shortcodes with suspicious content, such as:<br><br>1. Using WP-CLI to search post content for suspicious shortcodes:<br>```wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[post%<script%' OR post_content LIKE '%[post%onerror=%'"```<br><br>2. Using grep on exported content or backups:<br>```grep -r '\[post.*<script' /path/to/wordpress/wp-content/uploads/```<br><br>3. Use security scanners or plugins that detect stored XSS payloads in post content.<br><br>Note: There are no specific commands provided in the resources, but these general approaches can help detect injected scripts in shortcode attributes. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:<br>1. Update the WP Shortcodes Ultimate plugin to a version later than 7.4.2 where the vulnerability is fixed.<br>2. Restrict contributor-level and above users from adding or editing shortcodes until the plugin is updated.<br>3. Review and sanitize existing posts/pages for injected scripts in shortcode attributes.<br>4. Disable or restrict usage of shortcodes that accept user-supplied attributes if possible.<br>5. Implement Web Application Firewall (WAF) rules to block common XSS payloads targeting shortcode attributes.<br><br>Since the vulnerability arises from insufficient input sanitization and output escaping, updating the plugin is the most effective immediate step.