{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7957", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-21T13:20:20.335Z", "datePublished": "2025-08-23T04:25:49.271Z", "dateUpdated": "2026-04-08T17:32:58.811Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:58.811Z"}, "affected": [{"vendor": "surror", "product": "ShortcodeHub \u2013 MultiPurpose Shortcode Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ShortcodeHub plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018author_link_target\u2019 parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "ShortcodeHub <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via author_link_target Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3db71e8-1a0c-47d8-babd-a84a25a8b467?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/shortcodehub/trunk/inc/classes/useful-shortcodes/class-sh-useful-shortcodes-theme.php#L133"}, {"url": "https://wordpress.org/plugins/shortcodehub/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-08-22T15:48:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-25T14:40:13.032431Z", "id": "CVE-2025-7957", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T14:40:26.967Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7957", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-25T14:40:13.032431Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T14:40:21.669Z"}}], "cna": {"title": "ShortcodeHub <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via author_link_target Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "surror", "product": "ShortcodeHub \u2013 MultiPurpose Shortcode Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-22T15:48:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3db71e8-1a0c-47d8-babd-a84a25a8b467?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/shortcodehub/trunk/inc/classes/useful-shortcodes/class-sh-useful-shortcodes-theme.php#L133"}, {"url": "https://wordpress.org/plugins/shortcodehub/#developers"}], "descriptions": [{"lang": "en", "value": "The ShortcodeHub plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018author_link_target\u2019 parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:58.811Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7957", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:32:58.811Z", "dateReserved": "2025-07-21T13:20:20.335Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-23T04:25:49.271Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ShortcodeHub plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018author_link_target\u2019 parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento ShortcodeHub para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'author_link_target' en todas las versiones hasta la 1.7.1 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-7957", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-23T05:15:33.460", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/shortcodehub/trunk/inc/classes/useful-shortcodes/class-sh-useful-shortcodes-theme.php#L133"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/shortcodehub/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3db71e8-1a0c-47d8-babd-a84a25a8b467?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:57:46.561100+00:00", "value": {"mitigation_remediation": ["Upgrade the ShortcodeHub plugin to its latest release, which removes the XSS vulnerability.", "If a newer release is unavailable, uninstall the ShortcodeHub plugin from the WordPress site to eliminate the stored\u2011script vector.", "Modify Contributor role capabilities so that contributors cannot edit shortcode parameters that may contain JavaScript, thereby limiting the ability to inject malicious content."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting (CWE\u201179)"}, "threat_synthesis": {"affected_systems": "This issue impacts all versions of the ShortcodeHub \u2013 MultiPurpose Shortcode Builder plugin produced by surror that are 1.7.1 or earlier. The plugin is distributed as a standard WordPress plugin and is commonly used on sites that require advanced shortcode functionality.", "description_and_impact": "The ShortcodeHub WordPress plugin accepts an author_link_target parameter that is not properly sanitized or escaped. When a user with Contributor privileges or higher updates a shortcode containing this parameter, malicious JavaScript can be stored in the site database. Whenever another visitor views the affected page, the stored script is rendered and executed in the visitor\u2019s browser. The resulting persistent cross\u2011site scripting allows the attacker to run arbitrary client\u2011side code whenever the page is accessed, potentially revealing sensitive information or enabling session hijacking; however, this specific misuse is inferred from the nature of the flaw and not explicitly stated in the description.", "risk_and_exploitability": "The CVSS score of 6.4 classifies the vulnerability as moderate severity, while the EPSS score of less than 1% indicates a very low probability of real\u2011world exploitation at present. The flaw requires authenticated access with Contributor level or higher, so the attack vector is most likely an insider or a compromised user account rather than an unauthenticated attacker. The vulnerability is not listed in the CISA KEV catalog, further reducing the perceived urgency."}}}}, "created": "2025-08-23T10:54:56.230780+00:00", "updated": "2026-04-20T22:00:11.227666+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}