CVE-2025-8688
BaseFortify
Publication date: 2025-08-12
Last updated on: 2025-08-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elliott_bernstein | inline_stock_quotes | 0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Inline Stock Quotes WordPress plugin. It occurs because the plugin does not properly sanitize or escape user-supplied attributes in its stock shortcode. As a result, authenticated users with contributor-level access or higher can inject malicious scripts into pages. These scripts then execute whenever any user views the infected page, potentially compromising user data or site integrity.
How can this vulnerability impact me? :
The vulnerability allows attackers with contributor-level access or above to inject arbitrary web scripts into pages. This can lead to unauthorized actions such as stealing user session cookies, defacing the website, redirecting users to malicious sites, or performing actions on behalf of other users without their consent. It compromises the security and trustworthiness of the affected WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying WordPress sites using the Inline Stock Quotes plugin version 0.2 or earlier and checking for the presence of the [stock] shortcode in posts or pages. Since the vulnerability involves stored Cross-Site Scripting via user-supplied shortcode attributes, you can search the WordPress database for instances of the [stock] shortcode with suspicious or malicious script content. On the server, you might use commands to search the WordPress content database or files for the shortcode, for example: 1) Using WP-CLI to search posts: wp db query "SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[stock%]%';" 2) Using grep on exported content or backups: grep -r '\[stock' /path/to/wordpress/wp-content/uploads/ or grep -r '\[stock' /path/to/wordpress/wp-content/themes/ 3) Monitor HTTP requests for unusual payloads targeting the shortcode or attempts to inject scripts. However, no specific detection commands are provided in the resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Disable or uninstall the Inline Stock Quotes plugin, as it has been closed and is no longer available for download or updates. 2) Remove or sanitize any existing [stock] shortcodes in posts or pages to prevent execution of injected scripts. 3) Restrict contributor-level and above users from adding or editing content with the [stock] shortcode until a secure version is available. 4) Monitor and audit user inputs and shortcode usage for suspicious activity. Since the plugin is no longer maintained and vulnerable due to insufficient input sanitization, removing or disabling it is the most effective immediate action. [1]