CVE-2025-62111

Vulnerability

Overview

The Extra Shortcodes plugin for WordPress (versions up to and including 2.2) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables attackers with sufficient privileges to inject malicious scripts that are stored on the server and executed when other users visit affected pages.

Exploitation

Details

Exploitation requires a privileged user role (such as an editor or administrator) to perform an action, such as clicking a malicious link or submitting a crafted form [1]. The attacker does not need direct access to the site; instead, they can trick a privileged user into triggering the payload. Once injected, the script persists in the database and executes for any visitor viewing the compromised page.

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript, which can be used to redirect visitors to malicious sites, display unwanted advertisements, steal session cookies, or deface the website [1]. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites simultaneously.

Mitigation

The vulnerability is patched in version 2.2.1 or later. Users are strongly advised to update the plugin immediately. If updating is not possible, site administrators should restrict access to trusted users and consider using a web application firewall (WAF) as a temporary workaround [1].