CVE-2025-7354 identifies a stored cross-site scripting (XSS) vulnerability in the WP Shortcodes Plugin — Shortcodes Ultimate, a widely used WordPress plugin developed by gn_themes. The vulnerability exists due to improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to adequately sanitize and escape user-supplied attributes in shortcodes, which are snippets that allow users to add dynamic content to WordPress pages and posts. This flaw enables authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code into pages or posts. Because the injected scripts are stored persistently in the WordPress database, they execute whenever any user, including administrators or visitors, accesses the affected page. The vulnerability does not require user interaction beyond visiting the page, and the attacker does not need elevated privileges beyond contributor access, which is commonly granted to trusted users who can add or edit content. The CVSS 3.1 score of 6.4 reflects the network attack vector, low attack complexity, required privileges at the contributor level, no user interaction, and a scope change due to potential impact on other users. The impact primarily affects confidentiality and integrity, as attackers can steal session cookies, perform actions on behalf of other users, or deface content. Availability is not impacted. No patches or updates are currently linked, and no known exploits have been reported in the wild as of the publication date. However, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or public-facing content.

This vulnerability can lead to significant security risks for organizations running WordPress sites with the affected plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, privilege escalation, defacement, or distribution of malware. The compromise of administrator sessions could allow full site takeover, data theft, or insertion of backdoors. Since contributor access is often granted to content creators or editors, insider threats or compromised contributor accounts increase risk. The vulnerability undermines user trust and can damage brand reputation. Although availability is not directly affected, the integrity and confidentiality of site data and user information are at risk. Organizations with high-traffic websites, e-commerce platforms, or those handling sensitive user data are particularly vulnerable to exploitation attempts. The lack of known exploits in the wild suggests limited active exploitation currently, but the ease of exploitation and widespread use of the plugin make it a critical issue to address promptly.

Organizations should immediately audit their WordPress installations to identify the presence of the WP Shortcodes Plugin — Shortcodes Ultimate and verify the version in use. Until an official patch is released, administrators should restrict contributor-level permissions to trusted users only and consider temporarily disabling the plugin if feasible. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious shortcode attribute inputs can help mitigate exploitation attempts. Site administrators should also enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly scanning site content for injected scripts and monitoring user activity logs for unusual behavior can aid early detection. Once a patch or update becomes available, it should be applied immediately. Additionally, educating contributors about safe content practices and limiting the use of shortcodes to trusted users can reduce risk. Backup procedures should be reviewed and tested to ensure rapid recovery in case of compromise.