Shortcodes Ultimate <= 7.4.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Title and Slide Link

July 22, 2025 invoker category_cve

CVE Details

Basic Information

Title Shortcodes Ultimate <= 7.4.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Title and Slide Link
Type cve
Published 2025-07-22T14:43:08.091Z
Modified 2025-07-22T14:55:47.508Z

Product Information

Vendor gn_themes
Product WP Shortcodes Plugin — Shortcodes Ultimate
Version *

CVSS Information

Base Score 6.4 (MEDIUM)
Attack Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Affected Products

  • gn_themes WP Shortcodes Plugin — Shortcodes Ultimate *

Additional Information

CWE List CWE-79
Source Wordfence

Description

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded image’s ‘Title’ and ‘Slide link’ fields in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.