Norebro Extra <= 1.6.8 – Unauthenticated Arbitrary Shortcode Execution | CVE 2025-64633 | Plugin Vulnerabilities

Description

The The Norebro Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.8. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/14f665ba-b312-4167-a235-8d6aa3fbace9

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

0xd4rk5id3

Verified

No

WPVDB ID

434c4e01-cebd-4c4d-a6e3-fc4820d81cd4

Timeline

Publicly Published

2025-09-26 (about 6 months ago)

Added

2025-12-20 (about 3 months ago)

Last Updated

2025-12-20 (about 3 months ago)

Other

Published

Title

Published

2024-04-16

Title

WP Dummy Content Generator < 3.3.0 - Unauthenticated Code Injection

Published

2026-01-20

Title

Nelio AB Testing < 8.2.0 - Authenticated (Editor+) Remote Code Execution

Published

2014-08-01

Title

GeoPlaces - File Upload H&ling Remote Comm& Execution

Published

2024-02-13

Title

Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution

Published

2024-11-08

Title

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction < 2.13.1 - Unauthenticated Arbitrary Shortcode Execution