CVE-2025-0370
Published: 04 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-0370 is a stored cross-site scripting (XSS) vulnerability in the Shortcodes Ultimate plugin for WordPress, affecting all versions up to and including 7.3.3. The flaw stems from insufficient input sanitization and output escaping of the 'src' parameter, classified under CWE-79 with a CVSS v3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). It resides in components like the lightbox shortcode implementation, as indicated in the plugin's source code at lightbox.php line 75.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability to inject arbitrary web scripts into pages. When users, including administrators, access the injected pages, the scripts execute in their browsers, potentially leading to session hijacking, data theft, or further site compromise due to the changed scope (S:C).
Wordfence's threat intelligence advisory provides detailed analysis of the issue, while the plugin's Trac repository shows a fix committed in changeset 3229060. Security practitioners should update to a patched version beyond 7.3.3 via the official WordPress plugin directory.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS allows injection and execution of arbitrary scripts in victims' browsers, directly enabling session hijacking as explicitly described in the CVE.