CVE-2025-10737

The Genesis Framework for WordPress versions up to and including 3.6.0 contain a Stored Cross-Site Scripting (XSS) vulnerability in the theme's shortcodes. The root cause is insufficient input sanitization and output escaping on user-supplied attributes, allowing malicious script injection.

Exploitation requires an authenticated attacker with at least contributor-level access. The attacker can inject arbitrary web scripts through shortcode attributes, which are stored and executed whenever a user accesses the affected page.

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of a victim's browser, potentially leading to session hijacking, defacement, or sensitive data disclosure.

The vulnerability is fixed in version 3.6.1, released on 2025-10-23. The changelog confirms the sanitization of HTML in Genesis shortcode attributes to prevent XSS from contributor-level users [1]. Users are advised to update to version 3.6.1 or later.