CVE-2025-22594

The Better User Shortcodes plugin for WordPress (versions up to and including 1.0) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into a page, which is then reflected back to the user.

Exploitation requires a privileged user, such as an administrator, to click a crafted link or visit a specially prepared page [1]. The attacker does not need authentication but relies on social engineering to trick the victim into performing the action. Once the victim interacts, the injected script executes in the context of their WordPress session.

Successful exploitation enables the attacker to inject malicious scripts that can redirect visitors, display advertisements, or steal sensitive information like session cookies [1]. This could lead to further compromise of the WordPress site, including privilege escalation or data theft.

As of the advisory date, no official patch has been released for the plugin [1]. Users are advised to update the plugin immediately if a fix becomes available, or apply a virtual patch via security tools like Patchstack to block attacks until an update can be safely deployed [1].