CVE-2025-54746

Vulnerability

Overview

The Shortcode Redirect plugin for WordPress (versions up to and including 1.0.02) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an authenticated attacker with sufficient privileges to inject arbitrary HTML and JavaScript code into the plugin's shortcode parameters, which is then stored and executed in the browsers of visitors viewing affected pages.

Exploitation

Details

Exploitation requires a privileged user role (such as an editor or administrator) to insert a malicious shortcode into a post or page. The injected payload is stored server-side and executed automatically when any user — including unauthenticated visitors — loads the compromised page. No additional user interaction is needed beyond the initial injection by the privileged actor [1].

Impact

A successful attack enables the attacker to perform a range of malicious actions, including redirecting visitors to external sites, displaying unauthorized advertisements, or injecting other HTML payloads. This can lead to reputational damage, loss of visitor trust, and trust, and potential further compromise if the injected script steals session cookies or credentials [1].

Mitigation

The vendor has released version 1.0.03 which resolves the vulnerability. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. Although the vulnerability is rated as medium severity (CVSS 6.5) and considered low likelihood of exploitation, it has been noted that similar XSS flaws are frequently used in mass-exploit campaigns targeting WordPress sites [1].