WP-ShowHide < 1.06 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-67541 | Plugin Vulnerabilities

Description

The WP-ShowHide plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.05 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 1.06

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/dee7d15e-61f5-4774-8ae9-060634b9662c

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Muhammad Yudha - DJ

Verified

No

WPVDB ID

f2b3509e-a246-4788-8880-2bce1f0eee58

Timeline

Publicly Published

2025-12-15 (about 4 months ago)

Added

2025-12-19 (about 4 months ago)

Last Updated

2025-12-19 (about 4 months ago)

Other

Published

Title

Published

2015-08-26

Title

SoundCloud Is Gold <= 2.3.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2023-11-07

Title

WP Crowdfunding < 2.1.7 - Reflected XSS

Published

2024-07-08

Title

Ultimate Blocks < 3.2.0 - Contributor+ Stored XSS

Published

2022-10-17

Title

WP < 6.0.3 - Multiple Stored XSS via Gutenberg

Published

2024-05-28

Title

FooBox (Free and Premium) < 2.7.28 - Admin+ Stored XSS