{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4126", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-30T07:41:32.308Z", "datePublished": "2025-05-15T03:21:39.238Z", "dateUpdated": "2026-04-08T17:14:33.136Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:33.136Z"}, "affected": [{"vendor": "emmanuelg", "product": "EG-Series", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page."}], "title": "EG-Series <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab518a1b-304d-4b93-b807-65ef3941dd47?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/eg-series/trunk/lib/eg-plugin.inc.php#L546"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "cweId": "CWE-80", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-05-14T14:24:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-15T14:10:43.569748Z", "id": "CVE-2025-4126", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-15T14:10:57.806Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4126", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-15T14:10:43.569748Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-15T14:10:53.112Z"}}], "cna": {"title": "EG-Series <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "muhammad yudha"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "emmanuelg", "product": "EG-Series", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-14T14:24:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab518a1b-304d-4b93-b807-65ef3941dd47?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/eg-series/trunk/lib/eg-plugin.inc.php#L546"}], "descriptions": [{"lang": "en", "value": "The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-05-15T03:21:39.238Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4126", "state": "PUBLISHED", "dateUpdated": "2025-05-15T14:10:57.806Z", "dateReserved": "2025-04-30T07:41:32.308Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-15T03:21:39.238Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page."}, {"lang": "es", "value": "El complemento EG-Series para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del shortcode [series] en todas las versiones hasta la 2.1.1 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario en la funci\u00f3n shortcode_title. Esto permite a atacantes autenticados (con acceso de colaborador o superior, en sitios con el complemento Classic Editor activado) inyectar c\u00f3digo JavaScript arbitrario en el atributo titletag, que se ejecutar\u00e1 cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-4126", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-15T04:16:17.283", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/eg-series/trunk/lib/eg-plugin.inc.php#L546"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab518a1b-304d-4b93-b807-65ef3941dd47?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:48:13.472035+00:00", "value": {"mitigation_remediation": ["Upgrade EG\u2011Series to the latest version that addresses the XSS flaw.", "If a patch is not yet available, remove or restrict the [series] shortcode from publicly accessible content, or configure it to be used only by trusted authors.", "Disable the Classic Editor plugin if it is not required, or constrain contributor roles so they cannot edit pages that could contain the shortcode.", "Apply proper input validation and output escaping to any custom shortcodes you develop, following WordPress best practices."], "summary": {"action": "Assess Impact", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any WordPress site running the EG\u2011Series plugin version 2.1.1 or earlier is vulnerable, provided the Classic Editor plugin is active. The Classic Editor allows contributors to add or edit content, so sites where contributors have page\u2011editing rights and the Classic Editor is enabled are at risk. The vulnerability is specific to the EG\u2011Series product by emmanuelg.", "description_and_impact": "The EG\u2011Series WordPress plugin contains a stored cross\u2011site scripting flaw in its [series] shortcode. The shortcode accepts a \"titletag\" attribute that is not properly sanitized or escaped. An attacker who can authenticate with contributor\u2011level access or higher can embed arbitrary JavaScript into that attribute. When a page containing the injected shortcode is viewed, the malicious script executes in the victim\u2019s browser context.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation in the short term. Attackers must first authenticate to the WordPress site with at least contributor privileges; the flaw is not remotely exploitable without authentication. The issue is not listed in the CISA KEV catalog, so it is not known to be actively exploited in the wild. Overall risk is moderate, contingent on the presence of a compromised contributor account and the Classic Editor plugin."}}}}, "created": "2025-07-13T11:22:45.222360+00:00", "updated": "2026-04-21T21:00:35.998488+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}