CVE-2025-8316

Vulnerability

Overview The Certifica WP plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) through its 'evento' shortcode parameter. The plugin fails to properly sanitize user-supplied input or escape output when rendering the parameter in pages. In versions up to and including 3.1, the $event_key variable is derived from the evento attribute without sanitization, allowing malicious script payloads to be stored [1].

Exploitation

Details An attacker with at least Contributor-level access can inject arbitrary web scripts via the shortcode. The vulnerability is triggered when the plugin processes the evento attribute and subsequently outputs it without escaping. Although the code checks for user login and validates the event key against a hardcoded string ('ID_EVENTO'), no XSS sanitization is performed on the attribute itself [1]. The injected script executes in the context of any user visiting the affected page, including administrators.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browsers of visitors. This can lead to session hijacking, defacement, or theft of sensitive information. The CVSS v3 score of 6.4 (Medium) reflects the requirement for authenticated access but the potential for broad impact on site users.

Mitigation

As of the analysis, no patch has been released for versions up to 3.1. Administrators should restrict Contributor-level access where possible, audit pages for injected scripts, and consider disabling the plugin until an update is available.