Shortcodes Ultimate is a ubiquitous WordPress plugin used by over 500,000 websites to effortlessly embed rich content—galleries, tabs, sliders—through simple shortcode syntax. While its drag-and-drop gallery builder and extensive shortcode library enhance user experience, a serious security flaw—CVE-2025-8015—has been discovered. This vulnerability permits an Author+ user to inject persistent JavaScript into gallery items (via image links or titles), which executes when administrators or other privileged users interact with the gallery. Ultimately, attackers can escalate privileges, create admin backdoors, and fully compromise the site.
| CVE | CVE-2025-8015 |
| Plugin Version | Shortcodes Ultimate <= 7.4.2 |
| Critical | High |
| All Time | 23 497 655 |
| Active installations | 500 000+ |
| Publicly Published | May 30, 2025 |
| Last Updated | May 30, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8015 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortcodes-ultimate/shortcodes-ultimate-742-authenticated-author-stored-cross-site-scripting-via-image-title-and-slide-link |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| July 8, 2025 | Plugin testing and vulnerability detection in the WP Shortcodes Plugin — Shortcodes Ultimate have been completed |
| July 8, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| July 21, 2025 | Registered CVE-2025-8015 |
Discovery of the Vulnerability
During a focused security assessment of the gallery shortcode feature, our team identified insufficient sanitization of user-supplied attributes. Specifically, the plugin trusted the Slide link and Title fields of uploaded images. When an Author user sets the link to javascript:alert(1) or injects an onmouseover attribute into the Title, the raw input is stored in the database and later rendered into the gallery shortcode output without escaping. This stored XSS payload persists across post edits and is delivered to any user viewing or interacting with the gallery.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities have plagued WordPress for years, particularly in plugins that handle user-generated content. Stored XSS—where the attack payload is saved on the server—is the most dangerous variant, as it executes for every visitor. Past incidents, like XSS in NextGEN Gallery and Contact Form 7, have led to mass credential theft and stealth admin creation. In CVE-2025-8015, by leveraging gallery shortcode rendering, an attacker bypasses typical author restrictions and exploits the plugin’s trust in image metadata to stealthily inject JavaScript event handlers.
Exploiting the XSS Vulnerability
To exploit CVE-2025-8015, an attacker without any Cookie:
POC:
1) Upload any image and change "Slide link" to javascript:alert(1) 2) From Administrator account - Create a new Post and add here shortcode block 3) Choose Gallery Shortcode from the list. 4) Select uploaded image and click "Save" 5) Add to shortcode link="custom" width="100" height="100" 6) Click on image in new Post OR 1) Upload any image and change "Title" to 123" onmouseover=alert(1)// 2) From Administrator account - Create a new Post and add here shortcode block 3) Choose Gallery Shortcode from the list. 4) Select uploaded image and hover on it____
The risk posed by CVE-2025-8015 is immense. Attackers can escalate from an Author account to full administrator control without any additional privilege. In a multi-author blog or corporate portal, a compromised Author account can serve as the beachhead for site-wide takeover. Potential scenarios include:
- Silent Admin Creation: Injected JavaScript using REST API calls can create a hidden administrator account.
- Data Exfiltration: Malicious scripts can harvest cookies, tokens, or personal data and send them exfiltrated to attacker-controlled domains.
- Persistent Backdoors: By installing rogue plugins or modifying theme files via injected JavaScript, attackers can maintain access even after cleaning visible traces.
The ubiquity of Shortcodes Ultimate across diverse use cases—e-commerce galleries, portfolio sites, membership areas—means this vulnerability could have widespread, devastating impact.
Recommendations for Improved Security
To mitigate CVE-2025-8015 and strengthen overall security posture:
- Immediate Patch Deployment: Update Shortcodes Ultimate to the fixed version that properly sanitizes slide links and titles.
- Sanitize User Inputs: Enforce sanitization on URL fields using
esc_url()and strip out event handlers from attributes viawp_kses()filters. - Escape Output: Utilize
esc_attr()andesc_html()when rendering image attributes and titles in gallery shortcodes. - Restrict Author Capabilities: Remove the
unfiltered_htmlcapability for Author roles and use a role manager to limit custom HTML input. - Content Security Policy (CSP): Deploy a robust CSP to block inline JavaScript and prevent execution of malicious event handlers.
- Continuous Monitoring: Implement a Web Application Firewall (WAF) to detect and block XSS patterns and audit logs for suspicious shortcode modifications.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-8015 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.