{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7649", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-14T17:27:25.138Z", "datePublished": "2025-08-16T03:38:49.073Z", "dateUpdated": "2026-04-08T16:54:39.058Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:39.058Z"}, "affected": [{"vendor": "surbma", "product": "Surbma | Recent Comments Shortcode", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Surbma | Recent Comments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'recent-comments' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Surbma | Recent Comments Shortcode <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58e9c535-1b36-4795-b8f6-b38f3fc3d164?source=cve"}, {"url": "https://plugins.svn.wordpress.org/surbma-recent-comments-shortcode/tags/2.0/surbma-recent-comments-shortcode.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-06T11:21:34.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-15T14:46:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-18T13:37:19.600893Z", "id": "CVE-2025-7649", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T19:00:29.532Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7649", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-18T13:37:19.600893Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T13:37:33.315Z"}}], "cna": {"title": "Surbma | Recent Comments Shortcode <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "surbma", "product": "Surbma | Recent Comments Shortcode", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-06T11:21:34.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-15T14:46:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58e9c535-1b36-4795-b8f6-b38f3fc3d164?source=cve"}, {"url": "https://plugins.svn.wordpress.org/surbma-recent-comments-shortcode/tags/2.0/surbma-recent-comments-shortcode.php"}], "descriptions": [{"lang": "en", "value": "The Surbma | Recent Comments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'recent-comments' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:39.058Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7649", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:54:39.058Z", "dateReserved": "2025-07-14T17:27:25.138Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-16T03:38:49.073Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Surbma | Recent Comments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'recent-comments' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Surbma | Recent Comments Shortcode para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del shortcode \"recent-comments\" del complemento en todas las versiones hasta la 2.0 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-7649", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-16T04:16:05.627", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/surbma-recent-comments-shortcode/tags/2.0/surbma-recent-comments-shortcode.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58e9c535-1b36-4795-b8f6-b38f3fc3d164?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:32:26.573436+00:00", "value": {"mitigation_remediation": ["Upgrade the Surbma plugin to a version newer than 2.0 where the input sanitization and output escaping are fixed. ", "If an update is not available, disable or remove the 'recent-comments' shortcode from public pages or uninstall the plugin entirely. ", "Restrict contributor users to minimal capabilities and monitor for unauthorized content changes. ", "Implement web application firewall rules or a content security policy to block execution of scripts injected via the shortcode."], "summary": {"action": "Patch or Update", "impact": "Stored Cross\u2011Site Scripting via insufficient input sanitization in the WordPress shortcode"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the Surbma | Recent Comments Shortcode plugin installed, on any version up to and including 2.0.", "description_and_impact": "The Surbma | Recent Comments Shortcode plugin for WordPress contains a stored cross\u2011site scripting flaw because it fails to sanitize user supplied attributes in the 'recent\u2011comments' shortcode. This allows an authenticated contributor or higher to inject arbitrary JavaScript that is stored in the content and will run in the browsers of any user who visits the page containing the shortcode. The resulting impact is script execution that can lead to session hijacking, defacement, or malware delivery.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of <1% shows a very low probability of exploitation. The vulnerability is not yet cataloged in the CISA KEV list. Exploitation requires an authenticated user with contributor-level access or higher, so the attack vector is likely via the WordPress shortcode mechanism. The overall risk can be considered low to moderate given the limited attacker access requirement and low exploitation likelihood."}}}}, "created": "2025-08-18T20:59:29.196537+00:00", "updated": "2026-04-21T03:45:27.371771+00:00", "vendors": ["surbma", "surbma$PRODUCT$recent_comments_shortcode", "wordpress", "wordpress$PRODUCT$wordpress"]}