{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8483", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-01T18:20:55.297Z", "datePublished": "2025-10-25T06:49:23.683Z", "dateUpdated": "2026-04-08T17:12:14.704Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:14.704Z"}, "affected": [{"vendor": "marketingfire", "product": "Discussion Board \u2013 WordPress Forum Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Discussion Board \u2013 WordPress Forum Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.5.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes."}], "title": "Discussion Board \u2013 WordPress Forum Plugin <= 2.5.5 - Authenticated (Subscriber+) Arbitrary Shortcode Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a09659bc-e42b-4f08-a1a1-23e226be1be9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3382300%40wp-discussion-board&new=3382300%40wp-discussion-board&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kishan Vyas"}], "timeline": [{"time": "2025-08-14T18:00:29.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-24T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:40:06.443141Z", "id": "CVE-2025-8483", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:40:24.854Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8483", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-27T15:40:06.443141Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:40:14.971Z"}}], "cna": {"title": "Discussion Board \u2013 WordPress Forum Plugin <= 2.5.5 - Authenticated (Subscriber+) Arbitrary Shortcode Execution", "credits": [{"lang": "en", "type": "finder", "value": "Kishan Vyas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}], "affected": [{"vendor": "marketingfire", "product": "Discussion Board \u2013 WordPress Forum Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.5.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-14T18:00:29.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-24T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a09659bc-e42b-4f08-a1a1-23e226be1be9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3382300%40wp-discussion-board&new=3382300%40wp-discussion-board&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The The Discussion Board \u2013 WordPress Forum Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.5.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:14.704Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8483", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:12:14.704Z", "dateReserved": "2025-08-01T18:20:55.297Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T06:49:23.683Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The Discussion Board \u2013 WordPress Forum Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.5.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes."}], "id": "CVE-2025-8483", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-25T07:15:41.540", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3382300%40wp-discussion-board&new=3382300%40wp-discussion-board&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a09659bc-e42b-4f08-a1a1-23e226be1be9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:04:11.945121+00:00", "value": {"mitigation_remediation": ["Update the Discussion Board plugin to a version newer than 2.5.5", "Restrict subscriber\u2011level users from executing shortcodes by adjusting plugin settings or removing the shortcode execution capability", "Review the site content for unexpected or suspicious shortcodes and delete any that are unnecessary"], "summary": {"action": "Patch", "impact": "Arbitrary Shortcode Execution via WordPress Shortcodes"}, "threat_synthesis": {"affected_systems": "All installed versions of marketingfire\u2019s Discussion Board \u2013 WordPress Forum Plugin up to and including 2.5.5 are affected. The plugin should be upgraded to any release newer than 2.5.5 to mitigate the issue.", "description_and_impact": "The vulnerability allows an authenticated user with Subscriber or higher privileges to insert and execute arbitrary WordPress shortcodes. The flaw arises because the plugin does not validate the shortcode value before passing it to do_shortcode, enabling the user to supply malicious code in the shortcode. Executing such a shortcode can lead to code execution, data exfiltration, or other malicious actions, as WordPress shortcodes can invoke a wide range of functions within the site.", "risk_and_exploitability": "The CVSS score of 6.3 reflects a moderate severity, while the EPSS score of less than 1% indicates a low probability of exploitation in the wild at the time of analysis. The flaw is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user who has Subscriber-level access or higher; the attacker would log in with valid credentials or compromise an account to leverage the plugin\u2019s shortcode execution feature. No public exploit is actively reported, but the consequence of successful exploitation includes full code execution on the affected WordPress site."}}}}, "created": "2025-10-27T22:10:19.331037+00:00", "updated": "2026-04-21T02:15:06.518852+00:00", "vendors": ["marketingfire", "marketingfire$PRODUCT$discussion_board", "wordpress", "wordpress$PRODUCT$wordpress"]}