Unrated severityNVD Advisory· Published Feb 21, 2025· Updated Apr 8, 2026

WP-Appbox <= 4.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via appbox Shortcode

CVE-2025-1489

Description

The WP-Appbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's appbox shortcode in all versions up to, and including, 4.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Marcelismus/Wp Appboxllm-fuzzy2 versions
<=4.5.4+ 1 more
- (no CPE)range: <=4.5.4
- (no CPE)range: 0
WordPress/Wp Appboxwp-canonicalize
Package: https://wordpress.org/plugins/wp-appbox

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000

WP-Appbox <= 4.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via appbox Shortcode

Description

AI Insight

Affected products

Patches

Vulnerability mechanics

References

News mentions