CVE-2025-6944: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in undsgn Uncode Core
The Uncode Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uncode_hl_text' and 'uncode_text_icon' shortcodes in all versions up to, and including, 2.9.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Analysis
Technical Summary
CVE-2025-6944 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Uncode Core plugin for WordPress, specifically impacting all versions up to and including 2.9.4.2. The vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. It involves insufficient sanitization and output escaping of user-supplied attributes in the plugin's 'uncode_hl_text' and 'uncode_text_icon' shortcodes. An authenticated attacker with contributor-level privileges or higher can exploit this flaw by injecting arbitrary malicious scripts into pages. These scripts are stored persistently and execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to contributor access, no user interaction, and impacts confidentiality and integrity with a scope change due to the potential for cross-site scripting affecting other users. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is significant because WordPress is widely used across many organizations, and plugins like Uncode Core are popular for enhancing site functionality and design, making this a relevant threat vector for web infrastructure security.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to websites and web applications built on WordPress using the Uncode Core plugin. Successful exploitation can lead to theft of user credentials, session tokens, or other sensitive information, compromising user confidentiality. It can also allow attackers to manipulate site content or redirect users to malicious domains, damaging organizational reputation and trust. Since the vulnerability requires contributor-level access, insider threats or compromised accounts are critical risk factors. The scope of impact includes any user visiting the infected pages, potentially affecting customers, employees, or partners. Given the widespread use of WordPress in Europe for corporate websites, e-commerce, and public sector portals, this vulnerability could disrupt business operations and data privacy compliance, especially under GDPR regulations. However, the lack of known active exploitation reduces immediate risk, but the medium severity score and ease of exploitation warrant prompt attention.
Mitigation Recommendations
European organizations should prioritize the following specific actions: 1) Immediately audit WordPress installations to identify the presence and version of the Uncode Core plugin. 2) Restrict contributor-level access strictly to trusted users and review user roles to minimize privilege creep. 3) Implement Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the vulnerable shortcodes. 4) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 5) Monitor logs for unusual activity related to shortcode usage or unexpected script injections. 6) Engage with the plugin vendor or community to obtain or develop patches and apply them as soon as they become available. 7) Educate content contributors about safe input practices and the risks of injecting untrusted content. 8) Consider temporary disabling or replacing the Uncode Core plugin if patching is delayed. These targeted measures go beyond generic advice by focusing on access control, detection, and containment specific to this vulnerability's exploitation vector.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-6944: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in undsgn Uncode Core
Description
The Uncode Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uncode_hl_text' and 'uncode_text_icon' shortcodes in all versions up to, and including, 2.9.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI-Powered Analysis
Technical Analysis
CVE-2025-6944 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Uncode Core plugin for WordPress, specifically impacting all versions up to and including 2.9.4.2. The vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. It involves insufficient sanitization and output escaping of user-supplied attributes in the plugin's 'uncode_hl_text' and 'uncode_text_icon' shortcodes. An authenticated attacker with contributor-level privileges or higher can exploit this flaw by injecting arbitrary malicious scripts into pages. These scripts are stored persistently and execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to contributor access, no user interaction, and impacts confidentiality and integrity with a scope change due to the potential for cross-site scripting affecting other users. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is significant because WordPress is widely used across many organizations, and plugins like Uncode Core are popular for enhancing site functionality and design, making this a relevant threat vector for web infrastructure security.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to websites and web applications built on WordPress using the Uncode Core plugin. Successful exploitation can lead to theft of user credentials, session tokens, or other sensitive information, compromising user confidentiality. It can also allow attackers to manipulate site content or redirect users to malicious domains, damaging organizational reputation and trust. Since the vulnerability requires contributor-level access, insider threats or compromised accounts are critical risk factors. The scope of impact includes any user visiting the infected pages, potentially affecting customers, employees, or partners. Given the widespread use of WordPress in Europe for corporate websites, e-commerce, and public sector portals, this vulnerability could disrupt business operations and data privacy compliance, especially under GDPR regulations. However, the lack of known active exploitation reduces immediate risk, but the medium severity score and ease of exploitation warrant prompt attention.
Mitigation Recommendations
European organizations should prioritize the following specific actions: 1) Immediately audit WordPress installations to identify the presence and version of the Uncode Core plugin. 2) Restrict contributor-level access strictly to trusted users and review user roles to minimize privilege creep. 3) Implement Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the vulnerable shortcodes. 4) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 5) Monitor logs for unusual activity related to shortcode usage or unexpected script injections. 6) Engage with the plugin vendor or community to obtain or develop patches and apply them as soon as they become available. 7) Educate content contributors about safe input practices and the risks of injecting untrusted content. 8) Consider temporary disabling or replacing the Uncode Core plugin if patching is delayed. These targeted measures go beyond generic advice by focusing on access control, detection, and containment specific to this vulnerability's exploitation vector.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-30T23:19:41.110Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 686769146f40f0eb729f45ac
Added to database: 7/4/2025, 5:39:32 AM
Last enriched: 7/4/2025, 5:54:42 AM
Last updated: 7/4/2025, 7:01:14 AM
Views: 3
Related Threats
CVE-2025-6673: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nikelschubert Easy restaurant menu manager
MediumCVE-2025-53600: CWE-346 Origin Validation Error in NAVER NAVER Whale browser
HighCVE-2025-53599: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in NAVER NAVER Whale browser
HighCVE-2025-5372: Incorrect Calculation in Red Hat Red Hat Enterprise Linux 10
MediumCVE-2025-7053: Cross Site Scripting in Cockpit
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.