CVE-2025-4126: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in emmanuelg EG-Series
The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page.
AI Analysis
Technical Summary
CVE-2025-4126 is a stored XSS vulnerability in the EG-Series WordPress plugin's [series] shortcode, present in all versions up to 2.1.1. The issue is due to improper neutralization of script-related HTML tags (CWE-80) caused by insufficient sanitization and escaping of user-supplied attributes in the shortcode_title function. Authenticated attackers with contributor or higher privileges on sites using the Classic Editor plugin can inject malicious JavaScript in the titletag attribute, which executes when the page is viewed. This vulnerability allows limited cross-site scripting attacks without requiring user interaction.
Potential Impact
An attacker with contributor-level access or higher can inject persistent malicious JavaScript code that executes in the context of users visiting the affected page. This can lead to limited confidentiality and integrity impacts such as theft of session tokens or modification of page content. The vulnerability does not affect availability. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, site administrators should restrict contributor-level access and above to trusted users only and consider disabling the Classic Editor plugin if feasible, as it is a prerequisite for exploitation. Monitoring for suspicious shortcode usage may help detect exploitation attempts.
CVE-2025-4126: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in emmanuelg EG-Series
Description
The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-4126 is a stored XSS vulnerability in the EG-Series WordPress plugin's [series] shortcode, present in all versions up to 2.1.1. The issue is due to improper neutralization of script-related HTML tags (CWE-80) caused by insufficient sanitization and escaping of user-supplied attributes in the shortcode_title function. Authenticated attackers with contributor or higher privileges on sites using the Classic Editor plugin can inject malicious JavaScript in the titletag attribute, which executes when the page is viewed. This vulnerability allows limited cross-site scripting attacks without requiring user interaction.
Potential Impact
An attacker with contributor-level access or higher can inject persistent malicious JavaScript code that executes in the context of users visiting the affected page. This can lead to limited confidentiality and integrity impacts such as theft of session tokens or modification of page content. The vulnerability does not affect availability. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, site administrators should restrict contributor-level access and above to trusted users only and consider disabling the Classic Editor plugin if feasible, as it is a prerequisite for exploitation. Monitoring for suspicious shortcode usage may help detect exploitation attempts.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-04-30T07:41:32.308Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fb1484d88663aec6f1
Added to database: 5/20/2025, 6:59:07 PM
Last enriched: 4/9/2026, 10:19:15 AM
Last updated: 5/8/2026, 9:57:03 PM
Views: 140
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.