CVE-2025-6944 is a stored cross-site scripting vulnerability identified in the Uncode Core plugin for WordPress, which is widely used for website design and content management. The vulnerability specifically affects the plugin's 'uncode_hl_text' and 'uncode_text_icon' shortcodes, which fail to properly sanitize and escape user-supplied attributes before rendering them on web pages. This improper neutralization of input (CWE-79) allows an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently in the website's content, they execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability does not require user interaction beyond visiting the affected page and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity and privileges required, but no user interaction needed. The scope is changed as the vulnerability affects the confidentiality and integrity of users interacting with the site. No patches have been linked yet, and no known exploits in the wild have been reported as of the publication date. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content to be embedded in pages.

The primary impact of CVE-2025-6944 is the potential compromise of user confidentiality and integrity on affected websites. Attackers can execute arbitrary scripts in the context of the vulnerable site, enabling theft of session cookies, user credentials, or other sensitive information accessible via the browser. This can lead to account takeover or unauthorized actions performed on behalf of legitimate users. Additionally, attackers may manipulate page content or redirect users to malicious sites, damaging the website's reputation and trustworthiness. Since the vulnerability requires contributor-level access, it could be exploited by malicious insiders or compromised accounts. The lack of user interaction for exploitation increases the risk of widespread impact once an attacker gains the necessary privileges. Organizations relying on the Uncode Core plugin for their WordPress sites may face data breaches, defacement, or loss of user trust if the vulnerability is exploited. The absence of known active exploits provides a window for remediation, but the medium severity score indicates that timely action is necessary to prevent potential damage.

To mitigate CVE-2025-6944, organizations should first check for and apply any official patches or updates released by the Uncode Core plugin developers once available. In the absence of patches, administrators should restrict contributor-level access to trusted users only and review existing user roles to minimize the risk of malicious content injection. Implementing a web application firewall (WAF) with rules to detect and block common XSS payloads targeting the affected shortcodes can provide temporary protection. Additionally, site owners can disable or remove the vulnerable shortcodes ('uncode_hl_text' and 'uncode_text_icon') from their content until a fix is applied. Conducting regular security audits and monitoring for unusual content changes or script injections can help detect exploitation attempts early. Educating content contributors about safe input practices and the risks of injecting untrusted code is also beneficial. Finally, enabling Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting the sources from which scripts can execute.