CVE-2025-8691

The WP Scriptcase plugin for WordPress, up to version 2.0.0, contains a stored cross-site scripting (XSS) vulnerability in its shortcode handler. The plugin registers a [scriptcase] shortcode that accepts a url attribute. In the source code (reference [2]), the shortcode function retrieves the url parameter using extract(shortcode_atts(...)) and directly outputs it inside an ` tag's src` attribute without any sanitization or output escaping. This lack of input validation allows attackers to inject arbitrary HTML and JavaScript.

To exploit this vulnerability, an attacker must have at least Contributor-level access to a WordPress site. The attacker can insert the malicious shortcode into a post or page via the WordPress editor. When any user, including administrators or visitors, accesses the affected page, the injected script executes in the context of the victim's browser. The attack does not require any special network position beyond being able to create or edit posts.

Successful exploitation leads to stored in the page's content leads to persistent execution of attacker-controlled scripts. This can result in session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as cookies and authentication tokens. The impact is amplified because the injected script runs for every visitor to the compromised page.

The plugin has been closed on the WordPress plugin directory as of September 10, 2025, due to this security issue (reference [1]). No patched version is available; users should remove the plugin immediately. There is no known workaround other than disabling or deleting the plugin. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.