PT-2025-9649 · WordPress · Wp Shortcodes Plugin+1

Matthew Rollings

Published

2025-03-04

Updated

2025-03-05

CVE-2025-0370

CVSS v3.1

6.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress versions up to, and including, 7.3.3

Description The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, specifically via the src parameter. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page.

Recommendations For versions up to, and including, 7.3.3, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the src parameter to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2025-0370

Affected Products

Shortcodes Ultimate

Wp Shortcodes Plugin

PT-2025-9649 · WordPress · Wp Shortcodes Plugin+1

CVE-2025-0370

Weakness Enumeration

Related Identifiers

Affected Products

References · 9