Rescue Shortcodes CVE-2025-62110

| EUVD-2025-209563 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-23 Patchstack GHSA-595f-wpcr-x297
XSS
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Apr 23, 2026 - 12:00 vuln.today

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rescue Themes Rescue Shortcodes allows Stored XSS.This issue affects Rescue Shortcodes: from n/a through 3.3.

AnalysisAI

Stored cross-site scripting (XSS) in Rescue Shortcodes WordPress plugin versions through 3.3 allows authenticated users with limited privileges to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators and other high-privilege accounts. Attack requires user interaction (UI:R) but affects the entire scope of the application (S:C), enabling privilege escalation and data theft with moderate impact.

Technical ContextAI

Rescue Shortcodes is a WordPress plugin that provides custom shortcode functionality for building dynamic page content. The vulnerability stems from improper input sanitization and output encoding during shortcode processing (CWE-79: Improper Neutralization of Input During Web Page Generation). WordPress shortcodes accept user-supplied parameters that are processed server-side and rendered into page HTML without adequate filtering. An authenticated attacker with contributor-level or higher permissions can craft a shortcode with embedded JavaScript, which is stored in the WordPress database and executed client-side when the page is viewed by other users, including administrators. The vulnerability affects the entire shortcode plugin codebase through version 3.3.

RemediationAI

Update Rescue Shortcodes to a patched version released after 3.3 - consult the Patchstack advisory and Rescue Themes' official plugin repository or WordPress.org plugin page for the exact fix version number. If an immediate patch is unavailable, apply compensating controls by restricting the contributor and editor roles to trusted users only; use a security plugin such as Wordfence or Sucuri to implement input filtering and output encoding on shortcode parameters; disable the Rescue Shortcodes plugin temporarily and replace functionality with alternative, patched shortcode plugins. Each workaround carries trade-offs: role restriction may impact legitimate content workflow; security plugin filtering can cause shortcode rendering issues if overly aggressive. Coordinate with site administrators and content teams before implementing restrictions.

Share

CVE-2025-62110 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy