CVE-2025-7655

Vulnerability

Description

The Live Stream Badger plugin for WordPress, in versions up to and including 1.4.3, contains a stored cross-site scripting (XSS) vulnerability in its [livestream] shortcode. The plugin fails to properly sanitize user-supplied attributes passed to the shortcode, and does not escape the output when rendering the embedded stream. This allows authenticated attackers to inject arbitrary HTML and JavaScript code.

Attack

Vector

An attacker must have at least Contributor-level access to a WordPress site using the vulnerable plugin. By crafting a malicious shortcode via a post or page, the attacker can inject a payload into any attribute that is later displayed. The injected script will execute in the browser of any user who views the affected page. No other authentication or network position is required beyond the contributor account.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's session. This can result in session hijacking, cookie theft, redirection to malicious sites, or defacement of the WordPress site. The stored nature of the vulnerability means the payload persists and affects every subsequent visitor until removed.

Mitigation

All versions of Live Stream Badger up to and including 1.4.3 are affected. Users should upgrade to a patched version if one exists, or consider disabling the shortcode until a fix is applied. The root cause is the improper handling of attributes as seen in the shortcode class file [1].