Skip to main content

Shortcode Buttons Plugin EUVDEUVD-2025-210351

| CVE-2025-63041 MEDIUM
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-xwqq-7m42-6939
5.4
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
5.4 MEDIUM

Requires authenticated Contributor account (PR:L) over network (AV:N); no confidentiality exposure; low integrity and availability impact from unauthorized plugin action.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:31 vuln.today

DescriptionCVE.org

Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions.

AnalysisAI

Broken access control in the 'Forget About Shortcode Buttons' WordPress plugin (versions <= 2.1.3) allows authenticated Contributors to invoke restricted plugin functionality without proper authorization checks. The root cause is CWE-862 (Missing Authorization), meaning the plugin exposes one or more privileged endpoints or actions without verifying that the calling user holds a sufficient role. An attacker with a Contributor account on the target WordPress site can exploit this to make unauthorized integrity or availability modifications within the scope of what the plugin controls. No public exploit code and no CISA KEV listing are identified at time of analysis.

Technical ContextAI

The affected product is the 'Forget About Shortcode Buttons' WordPress plugin, versions up to and including 2.1.3, which modifies the WordPress post editor toolbar to manage shortcode-related buttons. The vulnerability class is CWE-862 (Missing Authorization): the plugin registers one or more AJAX handlers, REST API endpoints, or admin-page actions without implementing a capability check (e.g., WordPress's current_user_can() or check_ajax_referer() with role validation). WordPress Contributors can create and edit their own posts but cannot publish or modify site-wide settings; this flaw allows that role boundary to be crossed for whichever plugin action lacks the guard. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U confirms network-reachable, low-complexity exploitation by a low-privileged (authenticated) user with no user interaction required.

RemediationAI

Update the Forget About Shortcode Buttons plugin to a version beyond 2.1.3 that addresses the missing authorization check, once a patched release is published. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/forget-about-shortcode-buttons/vulnerability/wordpress-forget-about-shortcode-buttons-plugin-2-1-3-broken-access-control-vulnerability should be monitored for a confirmed fix version, as no exact patched version was confirmed in the available intelligence. As an interim compensating control, site administrators should audit and restrict Contributor role assignments to only fully trusted users, reducing the pool of accounts that could exploit the flaw. If the plugin is not actively required, deactivating and removing it eliminates the attack surface entirely with no functional trade-off. WordPress security plugins such as Patchstack or Wordfence may provide virtual patching rules for this CVE while an official fix is awaited.

Share

EUVD-2025-210351 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy