WordPress Plugin Vulnerabilities

WP-Recall – Registration, Profile, Commerce & More < 16.26.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'public-form' shortcode in all versions up to, and including, 16.26.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
wp-recall
Fixed in 16.26.12

References

CVE
CVE-2025-1324
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3e0be093-d61a-4634-ba9b-91dd7328e8cd

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
40cecd9e-7513-4334-a11e-b3e596bde8ae

Timeline

Publicly Published
2025-03-07 (about 1 year ago)
Added
2025-03-11 (about 1 year ago)
Last Updated
2025-03-11 (about 1 year ago)

Other

Published
Title
Published
2024-10-31
Title
AwesomePress <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-03-26
Title
Simple Ajax Chat < 20240216 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2024-02-19
Title
Shortcodes Ultimate < 7.0.3 - Contributor+ Stored XSS
Published
2024-03-05
Title
Fluent Forms < 5.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-11-14
Title
Post Status Notifier Lite < 1.11.1 - Reflected Cross-Site Scripting