Shortcodes Ultimate is a ubiquitous WordPress plugin used by over 500,000 websites to effortlessly embed rich content—galleries, tabs, sliders—through simple shortcode syntax. While its drag-and-drop gallery builder and extensive shortcode library enhance user experience, a serious security flaw—CVE-2025-8015—has been discovered. This vulnerability permits an Author+ user to inject persistent JavaScript into gallery items (via image links or titles), which executes when administrators or other privileged users interact with the gallery. Ultimately, attackers can escalate privileges, create admin backdoors, and fully compromise the site.

CVECVE-2025-8015
Plugin VersionShortcodes Ultimate <= 7.4.2
CriticalHigh
All Time23 497 655
Active installations500 000+
Publicly PublishedMay 30, 2025
Last UpdatedMay 30, 2025
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8015
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortcodes-ultimate/shortcodes-ultimate-742-authenticated-author-stored-cross-site-scripting-via-image-title-and-slide-link
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

PSC by Cleantalk

Timeline

July 8, 2025Plugin testing and vulnerability detection in the WP Shortcodes Plugin — Shortcodes Ultimate have been completed
July 8, 2025I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
July 21, 2025Registered CVE-2025-8015

Discovery of the Vulnerability

During a focused security assessment of the gallery shortcode feature, our team identified insufficient sanitization of user-supplied attributes. Specifically, the plugin trusted the Slide link and Title fields of uploaded images. When an Author user sets the link to javascript:alert(1) or injects an onmouseover attribute into the Title, the raw input is stored in the database and later rendered into the gallery shortcode output without escaping. This stored XSS payload persists across post edits and is delivered to any user viewing or interacting with the gallery.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) vulnerabilities have plagued WordPress for years, particularly in plugins that handle user-generated content. Stored XSS—where the attack payload is saved on the server—is the most dangerous variant, as it executes for every visitor. Past incidents, like XSS in NextGEN Gallery and Contact Form 7, have led to mass credential theft and stealth admin creation. In CVE-2025-8015, by leveraging gallery shortcode rendering, an attacker bypasses typical author restrictions and exploits the plugin’s trust in image metadata to stealthily inject JavaScript event handlers.

Exploiting the XSS Vulnerability

To exploit CVE-2025-8015, an attacker without any Cookie:

POC:

1) Upload any image and change "Slide link" to javascript:alert(1)
2) From Administrator account - Create a new Post and add here shortcode block
3) Choose Gallery Shortcode from the list. 
4) Select uploaded image and click "Save"
5) Add to shortcode link="custom" width="100" height="100"
6) Click on image in new Post

OR

1) Upload any image and change "Title" to 123" onmouseover=alert(1)//
2) From Administrator account - Create a new Post and add here shortcode block
3) Choose Gallery Shortcode from the list. 
4) Select uploaded image and hover on it

____

The risk posed by CVE-2025-8015 is immense. Attackers can escalate from an Author account to full administrator control without any additional privilege. In a multi-author blog or corporate portal, a compromised Author account can serve as the beachhead for site-wide takeover. Potential scenarios include:

  • Silent Admin Creation: Injected JavaScript using REST API calls can create a hidden administrator account.
  • Data Exfiltration: Malicious scripts can harvest cookies, tokens, or personal data and send them exfiltrated to attacker-controlled domains.
  • Persistent Backdoors: By installing rogue plugins or modifying theme files via injected JavaScript, attackers can maintain access even after cleaning visible traces.

The ubiquity of Shortcodes Ultimate across diverse use cases—e-commerce galleries, portfolio sites, membership areas—means this vulnerability could have widespread, devastating impact.

Recommendations for Improved Security

To mitigate CVE-2025-8015 and strengthen overall security posture:

  1. Immediate Patch Deployment: Update Shortcodes Ultimate to the fixed version that properly sanitizes slide links and titles.
  2. Sanitize User Inputs: Enforce sanitization on URL fields using esc_url() and strip out event handlers from attributes via wp_kses() filters.
  3. Escape Output: Utilize esc_attr() and esc_html() when rendering image attributes and titles in gallery shortcodes.
  4. Restrict Author Capabilities: Remove the unfiltered_html capability for Author roles and use a role manager to limit custom HTML input.
  5. Content Security Policy (CSP): Deploy a robust CSP to block inline JavaScript and prevent execution of malicious event handlers.
  6. Continuous Monitoring: Implement a Web Application Firewall (WAF) to detect and block XSS patterns and audit logs for suspicious shortcode modifications.

To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-8015 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.
CVE-2025-8015 – Shortcodes Ultimate – Stored XSS (Author+) to Admin Account Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *