Overview
A stored Cross-Site Scripting (XSS) vulnerability has been identified in the List Attachments Shortcode plugin for WordPress. This vulnerability, tracked as CVE-2025-12717, allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into WordPress pages. These scripts will execute whenever a user accesses the compromised page. All versions up to and including 0.4.1a are affected.
Technical Details
The vulnerability lies within the before_list parameter of the [list-attachments] shortcode. Due to insufficient input sanitization and output escaping, an attacker can inject malicious JavaScript code through this parameter. Specifically:
- The
class-list-attachments-shortcode.phpfile does not properly sanitize user-supplied input for thebefore_listparameter within the shortcode handler. - The output is not properly escaped, allowing the injected JavaScript to execute when the page containing the shortcode is rendered.
The vulnerable code can be found at the following locations (based on the available references):
CVSS Analysis
- CVE ID: CVE-2025-12717
- Severity: MEDIUM
- CVSS Score: 6.4
- The CVSS score reflects the fact that the vulnerability requires authentication (Author-level access) and user interaction to trigger. However, the widespread use of the plugin and the potential impact of XSS make it a significant concern.
Possible Impact
A successful exploitation of this vulnerability can have severe consequences, including:
- Account Takeover: Attackers can steal user session cookies and gain unauthorized access to administrator accounts.
- Malware Distribution: Injected scripts can redirect users to malicious websites or initiate the download of malware.
- Defacement: Attackers can modify the content of the affected pages, leading to website defacement.
- Data Theft: Sensitive information displayed on the page can be stolen.
Mitigation or Patch Steps
- Update the Plugin: The most effective mitigation is to update the List Attachments Shortcode plugin to the latest version as soon as a patched version is released. Check the WordPress plugin repository for updates.
- Disable the Plugin: If an update is not immediately available, consider disabling the plugin temporarily until a fix is released.
- Web Application Firewall (WAF): Implement a Web Application Firewall (WAF) with rules to detect and block XSS attacks targeting the
before_listparameter. - Input Sanitization (For Developers): If you are a developer and wish to patch the vulnerability yourself (use at your own risk!), ensure that all user-supplied input to the
before_listparameter is properly sanitized and that all output is properly escaped before being rendered in the HTML. Use WordPress’s built-in escaping functions likeesc_attr(),esc_html(), andesc_js().