CVE-2025-2803

CVE-2025-2803 is an arbitrary shortcode execution vulnerability in the So-Called Air Quotes plugin for WordPress, affecting all versions up to and including 0.1. The issue stems from the plugin allowing execution of an action that does not properly validate a value before invoking the do_shortcode function, enabling attackers to inject and execute arbitrary shortcodes. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is classified under CWE-94 (Code Injection). The vulnerability was published on 2025-03-29T07:15:18.770.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. By targeting the insufficiently validated input, they can execute arbitrary shortcodes on affected WordPress sites, potentially compromising low levels of confidentiality, integrity, and availability as per the CVSS vector.

Mitigation details are available in related advisories and resources, including Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/83f2ceee-4422-4ed5-adc7-91bc022ae42d?source=cve, the plugin's developer page at https://wordpress.org/plugins/so-called-air-quotes/#developers, and the plugin source code at https://plugins.svn.wordpress.org/so-called-air-quotes/trunk/airquote.php. Security practitioners should review these for patching guidance or updates beyond version 0.1.