CVE-2025-8688

Vulnerability

Analysis

The Inline Stock Quotes plugin for WordPress versions up to and including 0.2 contains a Stored Cross-Site Scripting (XSS) vulnerability in its stock shortcode handler. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the shortcode, allowing malicious HTML or JavaScript to be stored in the WordPress database and later rendered in pages.[1]

Exploitation

To exploit this vulnerability, an attacker must be authenticated with at least contributor-level access in WordPress. The attacker can then insert the plugin's stock shortcode with specially crafted attribute values that include arbitrary web scripts. When a user (such as an administrator or site visitor) accesses a page containing the injected shortcode, the malicious script executes in the context of their browser session.[1]

Impact

Successful exploitation leads to Stored XSS, enabling the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, modifying page content, or performing other actions under the identity of the victim user. Given that contributor-level access is relatively low, the attack surface is broad for WordPress sites with multiple users.[1]

Mitigation

The plugin has been closed on the WordPress plugin directory as of August 7, 2025, due to this security issue, meaning no official patch is available.[2] Users should immediately remove or deactivate the Inline Stock Quotes plugin and consider switching to an alternative, actively maintained stock quote solution.