CVE-2025-2262
Published: 18 March 2025
Summary
CVE-2025-2262 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-2262 is an arbitrary shortcode execution vulnerability in The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress, affecting all versions up to and including 3.7.3. The issue stems from the plugin allowing execution of an action that fails to properly validate a value prior to invoking the do_shortcode function, as detailed in CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-18.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges or user interaction. Successful exploitation enables execution of arbitrary shortcodes, potentially leading to low impacts on confidentiality, integrity, and availability.
Advisories, including Wordfence threat intelligence, highlight the vulnerability, with code references in the plugin's shortcode-builder/builder.php at lines 31, 51, and 65. Mitigation is addressed in the plugin's changeset 3256441 on the WordPress trac repository, which security practitioners should review for patching details beyond version 3.7.3.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6470
Vulnerability details
The The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.7.3. This is due to the software allowing users…
more
to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated arbitrary shortcode execution vulnerability in a public-facing WordPress plugin, directly enabling adversaries to exploit public-facing applications for initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to prevent unauthenticated attackers from executing arbitrary shortcodes due to missing authorization checks.
Validates inputs prior to processing to block malicious values passed to do_shortcode function.
Requires timely identification, reporting, and correction of flaws like this arbitrary shortcode execution vulnerability through patching.