CVE-2025-5567 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WP Shortcodes Plugin — Shortcodes Ultimate for WordPress, developed by gn_themes. This vulnerability exists in all versions up to and including 7.4.0. The root cause is insufficient input sanitization and output escaping of the 'data-url' DOM element attribute within the plugin. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting arbitrary malicious scripts into pages via the vulnerable shortcode functionality. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating a failure to properly sanitize user input before rendering it in the web page context. The CVSS v3.1 base score is 6.4 (medium severity), reflecting a network attack vector, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was publicly disclosed on July 4, 2025, with the issue reserved on June 3, 2025, by Wordfence. This vulnerability is significant because WordPress powers a large portion of websites globally, and the Shortcodes Ultimate plugin is widely used to enhance site functionality, making this a potentially impactful attack vector if weaponized.

For European organizations, this vulnerability poses a moderate risk primarily to websites and web applications running WordPress with the affected Shortcodes Ultimate plugin installed. Exploitation could allow attackers with contributor-level access to inject persistent malicious scripts, which may lead to unauthorized data access, session hijacking, defacement, or distribution of malware to site visitors. This can damage brand reputation, lead to data breaches involving personal data protected under GDPR, and cause regulatory and financial repercussions. Since the attack requires authenticated access, insider threats or compromised contributor accounts are the main risk vectors. The scope change in the CVSS score indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting other parts of the website or user sessions. European organizations with public-facing WordPress sites, especially those in sectors like e-commerce, media, education, and government, are at higher risk due to the value of their data and the potential for reputational damage. The lack of a patch at the time of disclosure increases the urgency for mitigation. However, the absence of known exploits in the wild suggests that immediate widespread exploitation is not yet observed, but proactive measures are critical.

1. Immediate mitigation should include restricting Contributor-level access to trusted users only and auditing existing contributor accounts for suspicious activity. 2. Disable or remove the WP Shortcodes Plugin — Shortcodes Ultimate if it is not essential to site functionality until a patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'data-url' attribute or shortcode inputs. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 5. Monitor website logs for unusual POST requests or shortcode usage patterns indicative of exploitation attempts. 6. Once available, promptly apply official patches or updates from the plugin vendor. 7. Educate site administrators and contributors about the risks of XSS and the importance of secure content input practices. 8. Consider additional hardening measures such as disabling shortcode execution for untrusted user roles or sanitizing inputs at the application level using security plugins or custom code. These steps go beyond generic advice by focusing on access control, proactive detection, and layered defense tailored to this specific vulnerability.