{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11763", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-14T21:11:20.360Z", "datePublished": "2025-11-21T07:31:57.219Z", "dateUpdated": "2026-04-08T17:28:29.483Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:29.483Z"}, "affected": [{"vendor": "rustybadrobot", "product": "Display Pages Shortcode", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Display Pages Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column_count' parameter in the [display-pages] shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Display Pages Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df4ada5f-6008-40b9-ad83-c6af82e64e9f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/display-pages-shortcode/trunk/display-pages-shortcode.php#L513"}, {"url": "https://plugins.trac.wordpress.org/browser/display-pages-shortcode/trunk/display-pages-shortcode.php#L517"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "timeline": [{"time": "2025-11-20T19:28:02.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-21T14:47:59.397843Z", "id": "CVE-2025-11763", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:56:23.343Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11763", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-21T14:47:59.397843Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:53:43.552Z"}}], "cna": {"title": "Display Pages Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "rustybadrobot", "product": "Display Pages Shortcode", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-20T19:28:02.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df4ada5f-6008-40b9-ad83-c6af82e64e9f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/display-pages-shortcode/trunk/display-pages-shortcode.php#L513"}, {"url": "https://plugins.trac.wordpress.org/browser/display-pages-shortcode/trunk/display-pages-shortcode.php#L517"}], "descriptions": [{"lang": "en", "value": "The Display Pages Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column_count' parameter in the [display-pages] shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:29.483Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11763", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:28:29.483Z", "dateReserved": "2025-10-14T21:11:20.360Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T07:31:57.219Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Display Pages Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column_count' parameter in the [display-pages] shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11763", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-21T08:15:48.900", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/display-pages-shortcode/trunk/display-pages-shortcode.php#L513"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/display-pages-shortcode/trunk/display-pages-shortcode.php#L517"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df4ada5f-6008-40b9-ad83-c6af82e64e9f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:26:16.212561+00:00", "value": {"mitigation_remediation": ["Install the latest version of the Display Pages Shortcode plugin that removes the vulnerable 'column_count' handling (e.g., any release after 1.1).", "If an immediate upgrade is not available, ensure the 'column_count' value is properly stripped of HTML/JavaScript before it is stored or rendered by escaping or sanitizing the input.", "Review and limit contributor\u2011level permissions or remove the shortcode capability for roles that should not be able to add or edit shortcodes, and audit existing content for injected scripts."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting that allows arbitrary JavaScript execution for all page visitors"}, "threat_synthesis": {"affected_systems": "The issue targets the Display Pages Shortcode plugin produced by Rustybadrobot for WordPress. All releases <= 1.1 are affected; versions after 1.1 are presumed patched.", "description_and_impact": "An authenticated user with contributor\u2011level or higher can exploit the 'column_count' parameter in the [display-pages] shortcode caused by inadequate input sanitization. This allows the user to store malicious JavaScript that will run whenever anyone views the affected page, enabling credential theft, defacement, or execution of arbitrary client\u2011side code. The vulnerability is a stored cross\u2011site scripting flaw (CWE\u201179) that can persist within stored content and affect all visitors to the page.", "risk_and_exploitability": "With a CVSS score of 6.4 the vulnerability is considered moderate severity. The EPSS score of less than 1% indicates a very low exploitation probability in the current threat landscape, and it is not listed in the CISA KEV catalog. However, because the flaw requires only contributor\u2011level access \u2013 a role commonly granted on many WordPress sites \u2013 and allows injection of arbitrary scripts that affect every visitor to a page, the risk to user sessions and data integrity can be significant. Attackers must first authenticate to the site, craft the malicious shortcode payload, place it on a page, and then wait for other users to visit that page for the script to execute."}}}}, "created": "2025-11-24T09:09:19.244160+00:00", "updated": "2026-04-21T01:30:24.397909+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}