CVE-2025-15488 is an authorization bypass vulnerability classified under CWE-863 found in the Responsive Plus WordPress plugin prior to version 3.4.3. The flaw exists in the AJAX action named update_responsive_woo_free_shipping_left_shortcode, which is accessible without authentication. This action processes a parameter called content_rech_data as a shortcode without proper validation or sanitization. Shortcodes in WordPress allow dynamic content execution, and arbitrary shortcode execution can lead to unauthorized actions such as code execution, data manipulation, or disruption of site functionality. Because the AJAX endpoint is exposed to unauthenticated users, attackers can exploit this vulnerability remotely without any user interaction or privileges. The CVSS v3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, but with integrity and availability impacts. The vulnerability could allow attackers to inject malicious shortcodes that alter site content, disrupt services, or potentially escalate to further attacks depending on the shortcode capabilities. No public exploits are currently known, but the vulnerability is publicly disclosed and should be addressed promptly.

The vulnerability enables unauthenticated attackers to execute arbitrary shortcodes on affected WordPress sites, potentially leading to unauthorized modification of site content, disruption of site availability, or other integrity issues. This can damage the reputation of organizations, cause loss of customer trust, and result in downtime or defacement. For e-commerce sites using WooCommerce with Responsive Plus, this could impact sales and customer experience. While no direct confidentiality impact is noted, the integrity and availability impacts can be significant depending on the shortcode payload. Attackers might also leverage this flaw as a foothold for further attacks, including privilege escalation or malware deployment. Organizations worldwide that rely on Responsive Plus for WooCommerce free shipping features are at risk until patched.

1. Update the Responsive Plus plugin to version 3.4.3 or later as soon as it becomes available, as this will contain the fix for the vulnerability. 2. Until an update is applied, restrict access to the vulnerable AJAX endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to update_responsive_woo_free_shipping_left_shortcode. 3. Implement strict input validation and sanitization on all shortcode parameters, especially content_rech_data, to prevent execution of arbitrary shortcodes. 4. Monitor web server and WordPress logs for suspicious AJAX requests targeting this action. 5. Limit plugin usage to trusted administrators and disable unused AJAX actions if possible. 6. Employ security plugins that can detect and block unauthorized shortcode execution or anomalous AJAX activity. 7. Regularly audit WordPress plugins for updates and vulnerabilities to reduce exposure.