CVE-2025-6460

The Display During Conditional Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.2. The vulnerability exists because the plugin fails to properly sanitize user input and escape output when handling the message parameter in the [display_during] shortcode. This parameter is intended for a plain text fallback message, but insufficient validation allows the injection of arbitrary HTML and JavaScript [1].

To exploit this vulnerability, an attacker must be an authenticated user with at least Contributor-level access to the WordPress site. The attacker can craft a post or page containing the [display_during] shortcode with a malicious payload in the message attribute. When any user, including administrators or site visitors, views the affected page, the injected script executes in their browser within the context of the WordPress site [1].

Successful exploitation enables the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, or defacing the site. The impact is limited to the privileges of the victim's session, but can lead to full site compromise if an administrator is targeted [1].

As of the publication date, the plugin has not released a patched version for this vulnerability. Users are advised to update the plugin to the latest available version and to restrict Contributor-level access to trusted users only. The vendor may release a security update in the future [1].