CVE-2025-2262

CVE-2025-2262 is an arbitrary shortcode execution vulnerability in The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress, affecting all versions up to and including 3.7.3. The issue stems from the plugin allowing execution of an action that fails to properly validate a value prior to invoking the do_shortcode function, as detailed in CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-18.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges or user interaction. Successful exploitation enables execution of arbitrary shortcodes, potentially leading to low impacts on confidentiality, integrity, and availability.

Advisories, including Wordfence threat intelligence, highlight the vulnerability, with code references in the plugin's shortcode-builder/builder.php at lines 31, 51, and 65. Mitigation is addressed in the plugin's changeset 3256441 on the WordPress trac repository, which security practitioners should review for patching details beyond version 3.7.3.