{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11764", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-14T21:16:52.448Z", "datePublished": "2025-11-21T07:31:56.294Z", "dateUpdated": "2026-04-08T17:27:04.469Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:04.469Z"}, "affected": [{"vendor": "fastmover", "product": "Shortcodes Bootstrap", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the [notification] shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Shortcodes Bootstrap <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9363db7-4535-427d-a6ae-2580f215b965?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/shortcodes-bootstrap/trunk/inc/dws_alert.php#L16"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "timeline": [{"time": "2025-11-20T19:20:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-21T14:48:00.837391Z", "id": "CVE-2025-11764", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:56:33.904Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11764", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-21T14:48:00.837391Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:53:44.814Z"}}], "cna": {"title": "Shortcodes Bootstrap <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "fastmover", "product": "Shortcodes Bootstrap", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-20T19:20:50.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9363db7-4535-427d-a6ae-2580f215b965?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/shortcodes-bootstrap/trunk/inc/dws_alert.php#L16"}], "descriptions": [{"lang": "en", "value": "The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the [notification] shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-21T07:31:56.294Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11764", "state": "PUBLISHED", "dateUpdated": "2025-11-21T14:56:33.904Z", "dateReserved": "2025-10-14T21:16:52.448Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T07:31:56.294Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the [notification] shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11764", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-21T08:15:49.133", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/shortcodes-bootstrap/trunk/inc/dws_alert.php#L16"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9363db7-4535-427d-a6ae-2580f215b965?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:06:22.431416+00:00", "value": {"mitigation_remediation": ["Upgrade the Shortcodes Bootstrap plug\u2011in to any version newer than 1.1, which implements proper sanitization and escaping for the \u2018type\u2019 parameter.", "If an upgrade cannot be performed immediately, reduce the privileges of users with the Contributor role or replace that role with one that cannot edit or insert notifications. This limits the window of opportunity for an attacker to inject code.", "As a temporary workaround, edit the dws_alert.php file to validate or escape the \u2018type\u2019 input before outputting it, or deploy a Content Security Policy that blocks inline scripts originating from the notification shortcode."], "summary": {"action": "Update Plugin", "impact": "Stored cross-site scripting via the \u2018type\u2019 attribute of the [notification] shortcode that requires contributor-level authentication."}, "threat_synthesis": {"affected_systems": "All installations of the Shortcodes Bootstrap plug\u2011in version 1.1 or earlier are vulnerable. Exploitation is limited to WordPress accounts with the Contributor role or higher, including authors, editors, and administrators, who can insert or edit the notification shortcode.", "description_and_impact": "The Shortcodes Bootstrap plug\u2011in for WordPress stores the raw content supplied in the \u2018type\u2019 attribute of its [notification] shortcode when a page is saved. Because the value is neither sanitized nor escaped before being written to the database or rendered, malicious JavaScript can be inserted and later executed in the browser of any user who views the affected page. The flaw allows an attacker who can edit or create a notification to place arbitrary code that will run automatically for each site visitor, presenting the possibility of script execution within the user\u2019s session context.", "risk_and_exploitability": "The CVSS score of 6.4 classifies this vulnerability as moderate. The EPSS score of less than 1% indicates that, as of this assessment, the likelihood of observed exploitation is low. The flaw is not listed in the CISA KEV catalog. Successful exploitation requires an authenticated session for a user with contributor-level access, the ability to inject the \u2018type\u2019 parameter into the shortcode, and subsequent viewing of the affected page by site visitors. Once the malicious code is stored, it will execute automatically in the browsers of anyone who loads the page containing the shortcode, without any additional user interaction."}}}}, "created": "2025-11-24T09:09:50.242998+00:00", "updated": "2026-04-21T18:15:36.367909+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}