CVE-2025-7649

Name of the Vulnerable Software and Affected Versions: Surbma | Recent Comments Shortcode plugin for WordPress versions up to and including 2.0

Description: The Surbma | Recent Comments Shortcode plugin for WordPress is susceptible to Stored Cross-Site Scripting via the plugin's recent-comments shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which will execute when a user accesses the injected page.

Recommendations: Versions prior to 2.1 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.