CVE-2025-0370

Medium

Published: 04 March 2025

Published

04 March 2025

Modified

05 March 2025

KEV Added

—

Patch

—

CVSS Score 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

EPSS Score 0.0608 90.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0370 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Vanokhin Shortcodes Ultimate. Its CVSS base score is 6.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of information inputs like the 'src' parameter to prevent injection of malicious scripts due to insufficient input sanitization.

SI-15 Information Output Filtering good match

prevent

SI-15 mandates filtering of outputs to block execution of injected scripts from the 'src' parameter due to inadequate output escaping.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely remediation of flaws like this stored XSS vulnerability by applying patches beyond version 7.3.3.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

Stored XSS allows injection and execution of arbitrary scripts in victims' browsers, directly enabling session hijacking as explicitly described in the CVE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘src’ parameter in all versions up to, and including, 7.3.3 due to insufficient input sanitization and output escaping. This makes it possible…

for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Deeper analysisAI

CVE-2025-0370 is a stored cross-site scripting (XSS) vulnerability in the Shortcodes Ultimate plugin for WordPress, affecting all versions up to and including 7.3.3. The flaw stems from insufficient input sanitization and output escaping of the 'src' parameter, classified under CWE-79 with a CVSS v3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). It resides in components like the lightbox shortcode implementation, as indicated in the plugin's source code at lightbox.php line 75.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability to inject arbitrary web scripts into pages. When users, including administrators, access the injected pages, the scripts execute in their browsers, potentially leading to session hijacking, data theft, or further site compromise due to the changed scope (S:C).

Wordfence's threat intelligence advisory provides detailed analysis of the issue, while the plugin's Trac repository shows a fix committed in changeset 3229060. Security practitioners should update to a patched version beyond 7.3.3 via the official WordPress plugin directory.