CVE-2025-0370 is a stored cross-site scripting vulnerability classified under CWE-79, found in the WP Shortcodes Plugin — Shortcodes Ultimate developed by gn_themes for WordPress. The vulnerability exists due to insufficient sanitization and escaping of the 'src' parameter in shortcode inputs, which allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the context of any user who accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 7.3.3 of the plugin. Exploitation does not require user interaction but does require authenticated access with at least Contributor privileges, which are commonly granted to users who can submit content. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and no user interaction needed. The scope is changed (S:C), indicating the vulnerability can affect resources beyond the vulnerable component. No patches or official fixes have been linked yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in early January 2025 and published in March 2025. Given the widespread use of WordPress and the popularity of this plugin, the vulnerability poses a significant risk to websites that rely on it for shortcode functionality.

The impact of CVE-2025-0370 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows an attacker with Contributor-level access to inject persistent malicious scripts that execute in the browsers of any user visiting the compromised pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential defacement or redirection to malicious sites. While availability is not directly impacted, the reputational damage and potential data breaches can be severe. Organizations running websites with this plugin are at risk of compromise, especially if they allow multiple contributors or have less stringent access controls. The vulnerability could be leveraged in targeted attacks against high-value websites or used in broader campaigns to compromise multiple sites. The medium CVSS score reflects the need for authenticated access, which limits exposure but does not eliminate risk, especially in environments with many contributors or weak internal controls.

To mitigate CVE-2025-0370, organizations should first verify if they are using the WP Shortcodes Plugin — Shortcodes Ultimate and identify the plugin version. Immediate steps include restricting Contributor-level access to trusted users only and auditing existing content for injected scripts. Since no official patch is currently linked, administrators should consider disabling or removing the plugin until a fix is released. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'src' parameter can provide temporary protection. Additionally, applying Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Regularly monitoring logs and user activity for suspicious behavior is advised. Once a vendor patch is available, prompt updating is critical. Developers and site administrators should also review and harden input validation and output encoding practices for all user-generated content, especially in plugins that handle shortcode inputs.