{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5567", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-03T19:20:11.841Z", "datePublished": "2025-07-04T02:22:33.158Z", "dateUpdated": "2026-04-08T17:34:36.169Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:36.169Z"}, "affected": [{"vendor": "gn_themes", "product": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.4.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-url' DOM element attribute in all versions up to, and including, 7.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Shortcodes Ultimate <= 7.4.0 - Authenticted (Contributor+) Stored Cross-Site Scripting via 'data-url' Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbd67145-5b95-4890-a265-1dd7a029aec6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.0/includes/js/shortcodes/index.js"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "timeline": [{"time": "2025-05-27T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-06-09T07:22:26.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-03T14:14:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-07T14:38:36.577262Z", "id": "CVE-2025-5567", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-07T15:01:49.941Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5567", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-07T14:38:36.577262Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-07T14:40:55.449Z"}}], "cna": {"title": "Shortcodes Ultimate <= 7.4.0 - Authenticted (Contributor+) Stored Cross-Site Scripting via 'data-url' Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "gn_themes", "product": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.4.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-27T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-06-09T07:22:26.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-03T14:14:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbd67145-5b95-4890-a265-1dd7a029aec6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.0/includes/js/shortcodes/index.js"}], "descriptions": [{"lang": "en", "value": "The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-url' DOM element attribute in all versions up to, and including, 7.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:36.169Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5567", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:36.169Z", "dateReserved": "2025-06-03T19:20:11.841Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-04T02:22:33.158Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getshortcodes:shortcodes_ultimate:*:*:*:*:-:wordpress:*:*", "matchCriteriaId": "B532C01A-6B7A-40C9-A68C-32FABD3B573F", "versionEndExcluding": "7.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-url' DOM element attribute in all versions up to, and including, 7.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento WP Shortcodes \u2014 Shortcodes Ultimate para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del atributo del elemento DOM 'data-url' en todas las versiones hasta la 7.4.0 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5567", "lastModified": "2025-07-09T17:50:47.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-07-04T03:15:21.040", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/tags/7.4.0/includes/js/shortcodes/index.js"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbd67145-5b95-4890-a265-1dd7a029aec6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:23:25.897767+00:00", "value": {"mitigation_remediation": ["Upgrade the Shortcodes Ultimate plugin to version\u202f7.4.1 or later, where the 'data-url' attribute is properly sanitized and escaped.", "If an upgrade is not immediately possible, disable the plugin or remove it entirely to prevent the vulnerable code from executing.", "Reduce the permissions granted to Contributor role users, or enforce stricter role restrictions, so that only trusted administrators can create content that passes through the affected attribute."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Shortcodes Ultimate plugin, versions 7.4.0 and earlier, are affected. The issue exists across all releases up to and including 7.4.0, regardless of site configuration.", "description_and_impact": "The WP Shortcodes Plugin \u2014 Shortcodes Ultimate has a stored XSS flaw that allows an attacker to embed arbitrary scripts via the 'data-url' attribute. When a page containing the injected payload is viewed, the script executes in the victim\u2019s browser, enabling credential theft, session hijacking, or defacement. The vulnerability is caused by inadequate sanitization of user input and insufficient escaping when rendering the attribute, which aligns with the CWE\u201179 weakness of cross\u2011site scripting.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity vulnerability. The EPSS score of less than 1\u202f% suggests that exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector requires an authenticated user with Contributor privileges or higher, meaning that anyone with sufficient role access can inject malicious scripts into the plugin\u2019s output. Once injected, any visitor who views the affected page will automatically run the payload, making this a high\u2011impact attack path for privileged users."}}}}, "created": "2026-04-20T22:30:19.871717+00:00", "updated": "2026-04-20T22:30:19.871737+00:00", "vendors": []}