Vulnerabilities and security researches foreg-series eg-series

May 16, 2025

CVE, Research URL: CVE-2025-4126
Home page URL: Security reports for EG-Series
Application: EG-Series
Date: May 15, 2025
Research Description: The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page.
Affected versions: Min -, max -.
Status: vulnerable