CVE-2025-7957

The ShortcodeHub plugin for WordPress, in all versions up to and including 1.7.1, contains a stored cross-site scripting (XSS) vulnerability. The flaw resides in insufficient sanitization and output escaping of the ‘author_link_target’ parameter, allowing user input to be processed without neutralization [1].

Exploitation requires an authenticated user with Contributor-level access or higher. The attacker can inject arbitrary web scripts into the plugin’s shortcode output, which are then stored on the server. When any user — including administrators — visits a page containing the malformed shortcode, the injected script executes in their browser [1].

The impact is typical for stored XSS: an attacker could steal session cookies, perform actions on behalf of the victim, or deface pages. The plugin has been closed from the WordPress plugin repository as of August 21, 2025 due to a security issue [1]. Users are advised to remove the plugin or apply any available workarounds until a patched version is released.