CVE-2025-6944

The Uncode Core plugin for WordPress versions up to 2.9.4.2 contain a stored cross-site scripting (XSS) vulnerability in the 'uncode_hl_text' and 'uncode_text_icon' shortcodes. The root cause is insufficient input sanitization and output escaping on user-supplied attributes, allowing untrusted data to be stored and later rendered without proper neutralization [1].

Exploitation requires an authenticated attacker with at least contributor-level access. The attacker can craft a post or page using the vulnerable shortcodes with malicious JavaScript embedded in attributes. When any user (including administrators) visits the affected page, the injected script executes in the context of the victim's browser session [1].

A successful attack can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability does not require any special network position and can be triggered by simply viewing the stored content [1].

Uncode has released version 2.12 (notably the referenced changelog shows 2.12 as the fix) which resolves this issue. Users are strongly advised to update to the latest version. No workarounds are documented [1].