CVE-2025-68079

Vulnerability

Overview The Salient Shortcodes plugin for WordPress versions 1.5.4 and earlier contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This flaw allows malicious scripts to be permanently stored on the server and executed when visitors access affected pages. [1]

Exploitation

Details To exploit this vulnerability, an attacker must have a privileged role (such as Author or higher) that can submit crafted input through the shortcode functionality. While user interaction is required for a privileged user to inject the payload, the stored script then executes automatically for any visitor viewing the compromised page. This attack vector is common in mass-exploit campaigns targeting WordPress installations. [1]

ImpactSuccessful exploitation enables an attacker to inject arbitrary JavaScript, HTML, or HTML into pages served to site visitors. This can lead to redirects, unwanted advertisements, defacement, or theft of session tokens — ultimately compromising the integrity and trust of the affected website. The CVSS v3 base score is 6.5 (Medium), reflecting the need for prior authentication and user interaction. [1]

MitigationThe vulnerability is resolved in version 1.5.5 of Salient Shortcodes. All users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins. [1]