CVE-2025-7354 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WP Shortcodes Plugin — Shortcodes Ultimate for WordPress, developed by gn_themes. This vulnerability exists in all versions up to and including 7.4.2 due to improper input sanitization and output escaping of user-supplied attributes within the plugin's shortcodes. Specifically, authenticated users with contributor-level privileges or higher can inject arbitrary malicious scripts into pages via shortcode attributes. These scripts are then stored persistently and executed in the browsers of any users who visit the compromised pages. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4 (medium severity), with an attack vector of network (remote), low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. The impact includes limited confidentiality and integrity loss, with no direct availability impact. No known exploits in the wild have been reported as of the publication date (July 21, 2025). The vulnerability is significant because WordPress powers a large portion of websites globally, and the Shortcodes Ultimate plugin is widely used to enhance site functionality. An attacker exploiting this vulnerability can perform actions such as session hijacking, defacement, or redirecting users to malicious sites by injecting JavaScript code that executes in the context of the victim's browser. Since the exploit requires contributor-level access, it is more likely to be leveraged in scenarios where an attacker has already compromised or gained access to a user account with elevated privileges, or through social engineering or insider threats. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps by site administrators.

For European organizations, this vulnerability poses a moderate risk primarily to websites using WordPress with the Shortcodes Ultimate plugin. The stored XSS can lead to unauthorized script execution, potentially compromising user sessions, leaking sensitive information, or enabling further attacks such as privilege escalation or phishing. Organizations handling personal data under GDPR must be particularly cautious, as exploitation could lead to data breaches and regulatory penalties. The vulnerability could undermine trust in public-facing websites, damage brand reputation, and disrupt business operations if exploited. Since the attack requires contributor-level access, the risk is heightened in environments where internal user accounts are not tightly controlled or where attackers can gain access through credential theft or social engineering. Additionally, the scope change in the CVSS vector indicates that the impact could extend beyond the plugin itself, potentially affecting other components or user data. European organizations with high web presence, especially in sectors like e-commerce, media, and public services, are at risk of targeted exploitation. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate the risk, as attackers may develop exploits once the vulnerability becomes widely known.

1. Immediate mitigation includes restricting contributor-level access to trusted users only and auditing existing user accounts for suspicious activity. 2. Disable or remove the WP Shortcodes Plugin — Shortcodes Ultimate if it is not essential to the website’s functionality until a patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious shortcode attribute payloads and suspicious script injections targeting the plugin. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected web pages. 5. Monitor website logs and user activity for signs of exploitation or anomalous behavior. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content review processes. 7. Once a patch is available, promptly update the plugin to the fixed version. 8. Consider deploying security plugins that provide enhanced input sanitization and output escaping as an additional layer of defense. 9. Regularly back up website data to enable quick restoration in case of compromise.