CVE-2025-7957 is a stored Cross-Site Scripting (XSS) vulnerability identified in the ShortcodeHub – MultiPurpose Shortcode Builder plugin for WordPress, affecting all versions up to and including 1.7.1. The vulnerability stems from improper neutralization of input during web page generation, specifically inadequate sanitization and escaping of the 'author_link_target' parameter. Authenticated attackers with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing credentials, or performing actions on behalf of users without their consent. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, requiring only low complexity to exploit, and no user interaction is necessary once the malicious content is stored. The scope is considered changed (S:C) because the vulnerability affects components beyond the attacker’s privileges, impacting other users. Although no known exploits are currently in the wild, the vulnerability poses a significant risk due to the plugin’s usage in WordPress environments, which are common targets for web-based attacks. The lack of available patches at the time of disclosure increases the urgency for mitigation. This vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS attacks.

The primary impact of CVE-2025-7957 is the compromise of confidentiality and integrity within affected WordPress sites. Attackers can execute arbitrary JavaScript in the context of the victim’s browser, enabling session hijacking, theft of sensitive information such as cookies or credentials, and unauthorized actions performed on behalf of users. This can lead to account takeover, defacement, or further exploitation such as pivoting to other parts of the network. Since the vulnerability requires only Contributor-level access, it lowers the barrier for exploitation compared to vulnerabilities requiring administrative privileges. The stored nature of the XSS means that all users visiting the compromised pages are at risk, potentially including site administrators and visitors. This can damage organizational reputation, lead to data breaches, and disrupt normal website operations. Given WordPress’s extensive use worldwide, the vulnerability could affect a large number of organizations, especially those relying on the ShortcodeHub plugin for content management and page building.

Organizations should immediately verify if they use the ShortcodeHub – MultiPurpose Shortcode Builder plugin and identify the version in use. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. If removal is not feasible, restrict Contributor-level user permissions to trusted individuals only and monitor for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'author_link_target' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly audit user-generated content for injected scripts and sanitize inputs manually if possible. Stay informed about vendor updates and apply patches promptly once available. Additionally, educate users and administrators about the risks of XSS and encourage strong authentication practices to reduce the impact of potential session hijacking.