CVE-2025-62111

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 13:15 nvd
N/A

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Extra Shortcodes extra-shortcodes allows Stored XSS.This issue affects Extra Shortcodes: from n/a through <= 2.2.

Analysis

Stored cross-site scripting (XSS) in webvitaly Extra Shortcodes WordPress plugin through version 2.2 allows authenticated attackers to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability stems from improper input neutralization during web page generation, enabling persistence of arbitrary JavaScript code within the plugin's shortcode processing. The low EPSS score (0.04%) and lack of public exploit code suggest limited practical exploitation likelihood, though the stored nature of the vulnerability means injected payloads affect all subsequent visitors until remediated.

Technical Context

The vulnerability exists in the webvitaly Extra Shortcodes plugin for WordPress, a content generation component that processes shortcodes-WordPress macros that expand into dynamic content. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating insufficient input validation or output encoding when processing shortcode parameters. When shortcodes are rendered, user-supplied data is not properly sanitized or escaped before being included in HTML output, allowing attackers to embed script tags or event handlers. This is a stored XSS variant, meaning the malicious payload persists in the WordPress database and executes every time affected content is displayed, rather than requiring per-request injection.

Affected Products

The webvitaly Extra Shortcodes WordPress plugin is affected in all versions from initial release through version 2.2, distributed via the WordPress.org plugin repository. The plugin is identified by the CPE product family in the plugin ecosystem and can be verified in WordPress admin dashboards. Detailed vulnerability information is available in the Patchstack database at https://patchstack.com/database/Wordpress/Plugin/extra-shortcodes/vulnerability/wordpress-extra-shortcodes-plugin-2-2-cross-site-scripting-xss-vulnerability.

Remediation

Update the webvitaly Extra Shortcodes plugin to a version newer than 2.2; consult the plugin's official repository or the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/extra-shortcodes/vulnerability/wordpress-extra-shortcodes-plugin-2-2-cross-site-scripting-xss-vulnerability) for the exact patched version number. If an immediate update is not available, restrict post/page editor roles to trusted administrators only, audit existing posts and pages for suspicious shortcode content or embedded script tags, and disable the plugin if it is not actively required. Review WordPress user capabilities to ensure only authorized users can edit content containing shortcodes.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62111 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy