{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6944", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-30T23:19:41.110Z", "datePublished": "2025-07-04T05:23:36.104Z", "dateUpdated": "2026-04-08T16:52:51.668Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:51.668Z"}, "affected": [{"vendor": "undsgn", "product": "Uncode Core", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.9.4.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Uncode Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uncode_hl_text' and 'uncode_text_icon' shortcodes in all versions up to, and including, 2.9.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Uncode Core <= 2.9.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/52935b60-3ec5-45e6-9d12-200bf107c9df?source=cve"}, {"url": "https://support.undsgn.com/hc/en-us/articles/213454129-Change-Log"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2025-07-01T17:01:58.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-03T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-07T14:38:35.563775Z", "id": "CVE-2025-6944", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-07T15:01:41.604Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6944", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-07T14:38:35.563775Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-07T14:40:54.447Z"}}], "cna": {"title": "Uncode Core <= 2.9.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "undsgn", "product": "Uncode Core", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.9.4.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-01T17:01:58.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-03T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/52935b60-3ec5-45e6-9d12-200bf107c9df?source=cve"}, {"url": "https://support.undsgn.com/hc/en-us/articles/213454129-Change-Log"}], "descriptions": [{"lang": "en", "value": "The Uncode Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uncode_hl_text' and 'uncode_text_icon' shortcodes in all versions up to, and including, 2.9.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-07-04T05:23:36.104Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6944", "state": "PUBLISHED", "dateUpdated": "2025-07-07T15:01:41.604Z", "dateReserved": "2025-06-30T23:19:41.110Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-04T05:23:36.104Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Uncode Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uncode_hl_text' and 'uncode_text_icon' shortcodes in all versions up to, and including, 2.9.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Uncode Core para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de los shortcodes 'uncode_hl_text' y 'uncode_text_icon' en todas las versiones hasta la 2.9.4.2 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-6944", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-04T06:15:25.203", "references": [{"source": "security@wordfence.com", "url": "https://support.undsgn.com/hc/en-us/articles/213454129-Change-Log"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/52935b60-3ec5-45e6-9d12-200bf107c9df?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:51:49.646597+00:00", "value": {"mitigation_remediation": ["Upgrade the Uncode Core plugin to a version newer than 2.9.4.2, where the input sanitization issue has been resolved.", "If an immediate upgrade is not possible, delete or disable the 'uncode_hl_text' and 'uncode_text_icon' shortcodes from any content before publishing.", "Restrict contributor role privileges or implement a content approval workflow so that only trusted users can publish content containing shortcodes."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All versions of the Uncode Core plugin up to and including 2.9.4.2 are affected. The product is provided by undsgn as the Uncode Core WordPress plugin.", "description_and_impact": "The Uncode Core plugin for WordPress contains a stored cross\u2011site scripting vulnerability in its 'uncode_hl_text' and 'uncode_text_icon' shortcodes. Unsanitized user\u2011supplied attributes are rendered without escaping, allowing a contributor\u2011level attacker to embed arbitrary JavaScript that runs whenever anyone views the affected page. This can lead to session hijacking, defacement, or other malicious actions against site visitors.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, and the current EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability requires authenticated access with contributor or higher privileges; the attacker does not need to exploit a memory corruption or privilege escalation bug. Because it is not listed in the CISA KEV, there are no publicly known active exploits, but the data suggests that the issue is critical for sites that allow contributors. Site owners should treat this as a moderate risk that can be mitigated by patching."}}}}, "created": "2025-07-13T22:31:30.615910+00:00", "updated": "2026-04-21T20:00:25.895082+00:00", "vendors": ["undsgn", "undsgn$PRODUCT$uncode", "wordpress", "wordpress$PRODUCT$wordpress"]}