CVE-2025-5116
Description
The WP Plugin Info Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerid’ parameter in all versions up to, and including, 5.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue is due to an incomplete patch for CVE-2025-31835.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The WP Plugin Info Card plugin for WordPress contains a Stored XSS vulnerability via the 'containerid' parameter, affecting all versions up to 5.3.1, with an incomplete patch for CVE-2025-31835.
The WP Plugin Info Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping in the 'containerid' parameter. The vulnerable code is located in the Shortcodes.php file, where user-supplied input is not properly filtered before being stored or rendered [1]. This vulnerability affects all versions up to and including 5.3.1, and represents an incomplete patch for the previously reported CVE-2025-31835.
Attack
Vector To exploit this vulnerability, an attacker must first authenticate to the WordPress instance with at least Contributor-level privileges. The attacker can then inject arbitrary web scripts through the 'containerid' parameter, which is processed by the plugin's shortcode functionality. The injected scripts are stored on the server and will execute automatically when any user (including administrators) accesses the affected page.
The impact of successful exploitation includes the ability to execute arbitrary JavaScript in the context of an authenticated user's session. This can lead to session hijacking, manipulation of page content, or redirection to malicious sites. Because the XSS is stored, the attack can persist until the malicious content is removed.
Mitigation
At the time of publication, a patched version has not been released, and users are advised to apply the vendor's fix when available. As a workaround, administrators may restrict Contributor-level capabilities or disable the plugin on untrusted sites until an update is deployed.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=5.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/DLXPlugins/wp-plugin-info-card/blob/dev/php/Shortcodes.phpnvd
- plugins.trac.wordpress.org/browser/wp-plugin-info-card/trunk/php/Shortcodes.phpnvd
- plugins.trac.wordpress.org/changeset/3303791nvd
- wordpress.org/plugins/wp-plugin-info-card/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/e29ea7dd-14b8-45d3-a87e-3f58de88af4cnvd
News mentions
0No linked articles in our index yet.