{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10180", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-09T14:29:09.325Z", "datePublished": "2025-09-26T06:43:29.077Z", "dateUpdated": "2026-04-08T16:51:46.734Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:46.734Z"}, "affected": [{"vendor": "jhoppe", "product": "Markdown Shortcode", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Markdown Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'markdown' shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Markdown Shortcode <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e9563b8-7e1b-4e87-8b56-17b75adb66c3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/markdown-shortcode/trunk/markdown-shortcode.php#L40"}, {"url": "https://github.com/JohannesHoppe/markdown-shortcode/releases/tag/v0.2.3"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3365425%40markdown-shortcode&new=3365425%40markdown-shortcode&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-09-25T17:54:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-26T19:51:44.632099Z", "id": "CVE-2025-10180", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T19:52:01.102Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-22T18:11:25.433Z"}, "references": [{"url": "https://github.com/JohannesHoppe/markdown-shortcode/commit/2f02cd680eb60cc7d4a92cc64506095d304a95ff"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/JohannesHoppe/markdown-shortcode/commit/2f02cd680eb60cc7d4a92cc64506095d304a95ff"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-22T18:11:25.433Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10180", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-26T19:51:44.632099Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T19:51:55.304Z"}}], "cna": {"title": "Markdown Shortcode <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "jhoppe", "product": "Markdown Shortcode", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "0.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-25T17:54:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e9563b8-7e1b-4e87-8b56-17b75adb66c3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/markdown-shortcode/trunk/markdown-shortcode.php#L40"}, {"url": "https://github.com/JohannesHoppe/markdown-shortcode/releases/tag/v0.2.3"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3365425%40markdown-shortcode&new=3365425%40markdown-shortcode&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Markdown Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'markdown' shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-09-26T06:43:29.077Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10180", "state": "PUBLISHED", "dateUpdated": "2026-01-22T18:11:25.433Z", "dateReserved": "2025-09-09T14:29:09.325Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-26T06:43:29.077Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Markdown Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'markdown' shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-10180", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-26T07:15:40.627", "references": [{"source": "security@wordfence.com", "url": "https://github.com/JohannesHoppe/markdown-shortcode/releases/tag/v0.2.3"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/markdown-shortcode/trunk/markdown-shortcode.php#L40"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3365425%40markdown-shortcode&new=3365425%40markdown-shortcode&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e9563b8-7e1b-4e87-8b56-17b75adb66c3?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/JohannesHoppe/markdown-shortcode/commit/2f02cd680eb60cc7d4a92cc64506095d304a95ff"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:19:05.418066+00:00", "value": {"mitigation_remediation": ["Upgrade the Markdown Shortcode plugin to version 0.2.3 or later", "Verify that no malicious markdown content remains after the upgrade", "Restrict contributor roles or remove content editing permissions from untrusted users"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All WordPress sites that use the Markdown Shortcode plugin in a version up to and including 0.2.1 are affected. Versions 0.2.3 and newer contain the patch, so administrators should verify that such sites are running at least 0.2.3 or have removed the plugin.", "description_and_impact": "The vulnerability is a stored XSS flaw that allows an attacker with contributor\u2011level access or higher to execute arbitrary web scripts on any page containing the Markdown Shortcode plugin. The injected scripts run in the browsers of all users who view the affected page, enabling phishing, credential theft, or session hijacking. This weakness maps to CWE\u201179, underscoring deficiencies in input sanitization and output escaping.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, while the EPSS value of < 1% shows a low current exploitation probability; the vulnerability is not listed in the CISA KEV catalog. Attackers must first be authenticated with contributor or higher privileges to plant the malicious payload, so the risk is greatest in environments where such roles have access to edit content. Exploitation conditions are limited to the presence of the plugin and the injection of an attribute within a shortcode, after which the payload is rendered on page load for all visitors."}}}}, "created": "2025-09-29T09:31:24.647754+00:00", "updated": "2026-04-22T13:30:17.918946+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}