CVE-2025-62110

Vulnerability

Overview The Rescue Shortcodes plugin for WordPress versions up to 3.3 suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows malicious shortcode parameters to be stored and later executed in the browsers of visitors.

Exploitation

Details Exploitation requires an authenticated user with at least contributor-level privileges, as shortcodes are typically inserted into posts or pages. The attacker can inject arbitrary JavaScript via a shortcode attribute. When the content is rendered, the script executes without proper sanitization [1]. While user interaction (e.g., clicking a link) may be needed to trigger the injection, the stored payload automatically runs on page load for subsequent visitors.

Impact

Successful exploitation enables an attacker to perform actions such as redirecting users to malicious sites, displaying advertisements, stealing session cookies, or defacing the website. The CVSS score of 6.5 reflects a medium severity, but such vulnerabilities are frequently targeted in mass exploitation campaigns [1].

Mitigation

The vendor has released version 3.4 which resolves the issue. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. No workaround is available [1].