cleantalk
Vulnerabilities and Security Researches

EG-Series, CVE-2025-4126

CVE, Research URL

CVE-2025-4126

Home page URL

Security reports for EG-Series

Application

EG-Series

Published on
May 15, 2025
Research Description
The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page.
Affected versions
Min -, max 2.1.1.
Status
vulnerable
Previous vulnerability researches
EG-Series (CVE-2025-4126) , May 16, 2025
New vulnerability
Broadstreet (CVE-2025-48113) , May 17, 2025
Prisna GWT – Google Website Translator (CVE-2024-12679) , May 17, 2025
Prisna GWT – Google Website Translator (CVE-2024-12680) , May 17, 2025
Responsive Contact Form Builder & Lead Generation Plugin (CVE-2024-10475) , May 17, 2025
ClipArt (CVE-2024-12726) , May 17, 2025