Cyber Resilience

CVE-2025-0370

Medium

Published: 04 March 2025

Published
04 March 2025
Modified
05 March 2025
KEV Added
Patch
CVSS Score v3.1 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0608 91.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0370 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Vanokhin Shortcodes Ultimate. Its CVSS base score is 6.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-0370 is a stored cross-site scripting (XSS) vulnerability in the Shortcodes Ultimate plugin for WordPress, affecting all versions up to and including 7.3.3. The flaw stems from insufficient input sanitization and output escaping of the 'src' parameter, classified under CWE-79 with a CVSS v3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). It resides in components like the lightbox shortcode implementation, as indicated in the plugin's source code at lightbox.php line 75.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability to inject arbitrary web scripts into pages. When users, including administrators, access the injected pages, the scripts execute in their browsers, potentially leading to session hijacking, data theft, or further site compromise due to the changed scope (S:C).

Wordfence's threat intelligence advisory provides detailed analysis of the issue, while the plugin's Trac repository shows a fix committed in changeset 3229060. Security practitioners should update to a patched version beyond 7.3.3 via the official WordPress plugin directory.

EU & UK References

Vulnerability details

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘src’ parameter in all versions up to, and including, 7.3.3 due to insufficient input sanitization and output escaping. This makes it possible…

more

for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS allows injection and execution of arbitrary scripts in victims' browsers, directly enabling session hijacking as explicitly described in the CVE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25203Shared CWE-79
CVE-2025-67959Shared CWE-79
CVE-2025-68835Shared CWE-79
CVE-2026-32118Shared CWE-79
CVE-2025-24617Shared CWE-79
CVE-2026-30934Shared CWE-79
CVE-2026-24833Shared CWE-79
CVE-2024-56038Shared CWE-79
CVE-2025-25823Shared CWE-79
CVE-2025-36548Shared CWE-79

Affected Assets

vanokhin
shortcodes ultimate
≤ 7.3.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs like the 'src' parameter to prevent injection of malicious scripts due to insufficient input sanitization.

prevent

SI-15 mandates filtering of outputs to block execution of injected scripts from the 'src' parameter due to inadequate output escaping.

prevent

SI-2 ensures timely remediation of flaws like this stored XSS vulnerability by applying patches beyond version 7.3.3.

References