Cyber Resilience

CVE-2025-2262

High

Published: 18 March 2025

Published
18 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0032 55.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2262 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-2262 is an arbitrary shortcode execution vulnerability in The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress, affecting all versions up to and including 3.7.3. The issue stems from the plugin allowing execution of an action that fails to properly validate a value prior to invoking the do_shortcode function, as detailed in CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-18.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges or user interaction. Successful exploitation enables execution of arbitrary shortcodes, potentially leading to low impacts on confidentiality, integrity, and availability.

Advisories, including Wordfence threat intelligence, highlight the vulnerability, with code references in the plugin's shortcode-builder/builder.php at lines 31, 51, and 65. Mitigation is addressed in the plugin's changeset 3256441 on the WordPress trac repository, which security practitioners should review for patching details beyond version 3.7.3.

EU & UK References

Vulnerability details

The The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.7.3. This is due to the software allowing users…

more

to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an unauthenticated arbitrary shortcode execution vulnerability in a public-facing WordPress plugin, directly enabling adversaries to exploit public-facing applications for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent unauthenticated attackers from executing arbitrary shortcodes due to missing authorization checks.

prevent

Validates inputs prior to processing to block malicious values passed to do_shortcode function.

prevent

Requires timely identification, reporting, and correction of flaws like this arbitrary shortcode execution vulnerability through patching.

References