Skip to main content

CVE-2025-6944: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in undsgn Uncode Core

Medium
VulnerabilityCVE-2025-6944cvecve-2025-6944cwe-79
Published: Fri Jul 04 2025 (07/04/2025, 05:23:36 UTC)
Source: CVE Database V5
Vendor/Project: undsgn
Product: Uncode Core

Description

The Uncode Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uncode_hl_text' and 'uncode_text_icon' shortcodes in all versions up to, and including, 2.9.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI-Powered Analysis

AILast updated: 07/04/2025, 05:54:42 UTC

Technical Analysis

CVE-2025-6944 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Uncode Core plugin for WordPress, specifically impacting all versions up to and including 2.9.4.2. The vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. It involves insufficient sanitization and output escaping of user-supplied attributes in the plugin's 'uncode_hl_text' and 'uncode_text_icon' shortcodes. An authenticated attacker with contributor-level privileges or higher can exploit this flaw by injecting arbitrary malicious scripts into pages. These scripts are stored persistently and execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to contributor access, no user interaction, and impacts confidentiality and integrity with a scope change due to the potential for cross-site scripting affecting other users. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is significant because WordPress is widely used across many organizations, and plugins like Uncode Core are popular for enhancing site functionality and design, making this a relevant threat vector for web infrastructure security.

Potential Impact

For European organizations, this vulnerability poses a moderate risk primarily to websites and web applications built on WordPress using the Uncode Core plugin. Successful exploitation can lead to theft of user credentials, session tokens, or other sensitive information, compromising user confidentiality. It can also allow attackers to manipulate site content or redirect users to malicious domains, damaging organizational reputation and trust. Since the vulnerability requires contributor-level access, insider threats or compromised accounts are critical risk factors. The scope of impact includes any user visiting the infected pages, potentially affecting customers, employees, or partners. Given the widespread use of WordPress in Europe for corporate websites, e-commerce, and public sector portals, this vulnerability could disrupt business operations and data privacy compliance, especially under GDPR regulations. However, the lack of known active exploitation reduces immediate risk, but the medium severity score and ease of exploitation warrant prompt attention.

Mitigation Recommendations

European organizations should prioritize the following specific actions: 1) Immediately audit WordPress installations to identify the presence and version of the Uncode Core plugin. 2) Restrict contributor-level access strictly to trusted users and review user roles to minimize privilege creep. 3) Implement Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the vulnerable shortcodes. 4) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 5) Monitor logs for unusual activity related to shortcode usage or unexpected script injections. 6) Engage with the plugin vendor or community to obtain or develop patches and apply them as soon as they become available. 7) Educate content contributors about safe input practices and the risks of injecting untrusted content. 8) Consider temporary disabling or replacing the Uncode Core plugin if patching is delayed. These targeted measures go beyond generic advice by focusing on access control, detection, and containment specific to this vulnerability's exploitation vector.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-06-30T23:19:41.110Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 686769146f40f0eb729f45ac

Added to database: 7/4/2025, 5:39:32 AM

Last enriched: 7/4/2025, 5:54:42 AM

Last updated: 7/4/2025, 7:01:14 AM

Views: 3

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats