{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13885", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-02T14:37:11.701Z", "datePublished": "2025-12-12T03:20:56.214Z", "dateUpdated": "2026-04-08T17:21:36.122Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:36.122Z"}, "affected": [{"vendor": "imran3229", "product": "Zenost Shortcodes", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Zenost Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' and 'target' parameters in the `button` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Zenost Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c88d378a-6c58-4670-b0b6-0e0d51c39bd1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/zenost-shortcodes/trunk/inc/shortcodes.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/zenost-shortcodes/tags/1.0/inc/shortcodes.php#L25"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2025-12-11T14:31:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T16:22:51.950878Z", "id": "CVE-2025-13885", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T16:23:05.872Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13885", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T16:22:51.950878Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T16:23:00.816Z"}}], "cna": {"title": "Zenost Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "imran3229", "product": "Zenost Shortcodes", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:31:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c88d378a-6c58-4670-b0b6-0e0d51c39bd1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/zenost-shortcodes/trunk/inc/shortcodes.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/zenost-shortcodes/tags/1.0/inc/shortcodes.php#L25"}], "descriptions": [{"lang": "en", "value": "The Zenost Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' and 'target' parameters in the `button` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:36.122Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13885", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:36.122Z", "dateReserved": "2025-12-02T14:37:11.701Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:56.214Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Zenost Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' and 'target' parameters in the `button` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-13885", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:43.293", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zenost-shortcodes/tags/1.0/inc/shortcodes.php#L25"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zenost-shortcodes/trunk/inc/shortcodes.php#L25"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c88d378a-6c58-4670-b0b6-0e0d51c39bd1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:29:16.383720+00:00", "value": {"mitigation_remediation": ["Upgrade Zenost Shortcodes to the latest available version or remove the plugin if no update exists.", "Audit all posts for injected button shortcodes and remove or sanitize the link and target attributes.", "Restrict Contributor and above user roles from using the button shortcode or enforce stricter permission checks."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All users of Zenost Shortcodes version 1.0 or earlier are affected. The vulnerability is present across all WordPress installations that have the plugin installed at the specified version.", "description_and_impact": "The Zenost Shortcodes plugin for WordPress contains a stored XSS flaw in the button shortcode that uses the link and target attributes. Because the plugin fails to sanitize or escape these inputs, an attacker who can create or edit content with Contributor\u2011level or higher privileges can inject arbitrary JavaScript that is stored within a page. When any user visits the affected page, the injected script runs in that user\u2019s browser, potentially exposing session cookies, defacing content, or redirecting traffic.", "risk_and_exploitability": "The CVSS score of 6.4 categorises the vulnerability as moderate severity, while an EPSS score of < 1% indicates a low yet non\u2011zero likelihood of exploitation. The issue is not listed in the CISA KEV catalog. Exploitation requires authenticated access with Contributor or higher privileges and involves the user creating or editing a post that contains an injected button shortcode. Once stored, the malicious code executes for every visitor to the affected page."}}}}, "created": "2025-12-12T08:48:16.070534+00:00", "updated": "2026-04-20T21:30:18.596664+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}