VYPR
← All advisories
Medium severity6.4OSV Advisory· Published Jun 20, 2025· Updated Apr 15, 2026

CVE-2025-6257

CVE-2025-6257

Description

The Euro FxRef Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's currency shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3

Patches

Vulnerability mechanics

Root cause

"Insufficient input sanitization and output escaping on user-supplied shortcode attributes allows stored cross-site scripting."

Attack vector

An authenticated attacker with contributor-level access or above can inject arbitrary JavaScript or HTML via the plugin's currency shortcode attributes (e.g., `from`, `to`, `append`). When a victim visits a page containing the malicious shortcode, the unsanitized payload is rendered in the browser, leading to stored cross-site scripting [CWE-79]. The attack requires no special network access beyond the ability to create or edit posts containing the shortcode.

Affected code

The vulnerability resides in the `currency_shortcode()` method of the `eurofxref.php` file. User-supplied shortcode attributes such as `from`, `to`, `between`, `append`, `round_append`, and `to_style` were output directly without HTML escaping. Additionally, the `currency_legal_shortcode()` method lacked escaping on the `prepend` attribute.

What the fix does

The patch [patch_id=1717610] adds `esc_html()` calls to the text-based shortcode attributes (`from`, `to`, `between`, `append`, `round_append`) and applies `esc_attr()` to `to_style` before it is used in the `style` attribute. This ensures any HTML or JavaScript in user-supplied values is neutralized. The patch [patch_id=1717613] applies `esc_html()` to the `prepend` attribute in the legal shortcode function, closing the same class of vulnerability there.

Preconditions

  • authAttacker must have at least Contributor-level access to the WordPress site.
  • configThe Euro FxRef Currency Converter plugin must be installed and active.
  • inputAttacker must be able to insert the vulnerable shortcode into a post or page.

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.