{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11770", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-14T22:07:46.490Z", "datePublished": "2025-11-21T07:31:49.929Z", "dateUpdated": "2026-04-08T16:47:51.209Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:51.209Z"}, "affected": [{"vendor": "billybigpotatoes", "product": "BrightTALK WordPress Shortcode", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BrightTALK WordPress Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the brighttalk-time shortcode in all versions up to, and including, 2.4.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "BrightTALK WordPress Shortcode <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e3b5433-e17b-4ece-9e5c-ef4d818068dc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/brighttalk-wp-shortcode/tags/2.4.0/brighttalk-wp-shortcode.php#L130"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-11-20T19:22:02.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-24T17:04:58.167606Z", "id": "CVE-2025-11770", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T18:08:19.783Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11770", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-24T17:04:58.167606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T17:06:52.176Z"}}], "cna": {"title": "BrightTALK WordPress Shortcode <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "billybigpotatoes", "product": "BrightTALK WordPress Shortcode", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-20T19:22:02.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e3b5433-e17b-4ece-9e5c-ef4d818068dc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/brighttalk-wp-shortcode/tags/2.4.0/brighttalk-wp-shortcode.php#L130"}], "descriptions": [{"lang": "en", "value": "The BrightTALK WordPress Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the brighttalk-time shortcode in all versions up to, and including, 2.4.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:51.209Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11770", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:47:51.209Z", "dateReserved": "2025-10-14T22:07:46.490Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T07:31:49.929Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BrightTALK WordPress Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the brighttalk-time shortcode in all versions up to, and including, 2.4.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11770", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-21T08:15:50.123", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/brighttalk-wp-shortcode/tags/2.4.0/brighttalk-wp-shortcode.php#L130"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e3b5433-e17b-4ece-9e5c-ef4d818068dc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:22:06.336396+00:00", "value": {"mitigation_remediation": ["Upgrade the BrightTALK WordPress Shortcode plugin to version 2.5 or newer, which removes the vulnerable format attribute.", "Restrict contributor-level access to trusted users and limit the number of accounts with edit rights.", "Scan existing posts that contain the brighttalk-time shortcode for injected scripts and sanitize or delete any malicious code.", "If an immediate upgrade is not possible, consider disabling the plugin or the brighttalk-time shortcode until a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via authenticated contributor access"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the BrightTALK WordPress Shortcode plugin installed, version 2.4.0 or earlier, regardless of site configuration. An attacker must have contributor or higher privileges on the site. The affected product is the plugin by billybigpotatoes.", "description_and_impact": "The BrightTALK WordPress Shortcode plugin allows a contributor\u2011level user to add a brighttalk-time shortcode with a 'format' attribute that is not properly sanitized. This stored cross\u2011site scripting flaw permits injection of arbitrary JavaScript that will run whenever any visitor views the page containing the shortcode. The payload could steal session cookies, deface the site, or redirect users to malicious sites, thereby compromising confidentiality, integrity, and availability of the website content.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score of <1% suggests very low likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires authenticated access with at least contributor role; once the attacker injects a malicious script, it executes in the browsers of any visitor to the affected page, exposing the site to client\u2011side attacks."}}}}, "created": "2025-11-24T09:09:41.500046+00:00", "updated": "2026-04-22T12:30:16.831555+00:00", "vendors": ["billybigpotatoes", "billybigpotatoes$PRODUCT$brighttalk_wordpress_shortcode", "wordpress", "wordpress$PRODUCT$wordpress"]}