CVE-2025-10180

The Markdown Shortcode plugin for WordPress, in all versions up to and including 0.2.1, contains a stored cross-site scripting (XSS) vulnerability in its [markdown] shortcode. The root cause is insufficient input sanitization and output escaping on user-supplied attributes, allowing malicious HTML or JavaScript to be processed and stored [1][2].

Exploitation

An authenticated attacker with contributor-level access or higher can inject arbitrary web scripts through the shortcode. When a user visits a page containing the crafted shortcode, the injected script executes in the context of the victim's browser. No additional privileges or user interaction beyond viewing the page is required [1][2].

Impact

Successful exploitation enables an attacker to perform actions such as stealing session cookies, defacing the site, or redirecting users to malicious sites. The CVSS v3.1 score is 6.4 (Medium) with the vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating low confidentiality and integrity impact but a scope change [2].

Mitigation

The vulnerability is fixed in version 0.2.3, which adds wp_kses_post() sanitization to the markdown output, removing dangerous HTML tags like `` while preserving safe HTML [1][2]. All users are strongly advised to update immediately.