CVE-2025-23877: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress plugin Nite Shortcodes, identified as CVE-2025-23877. The vulnerability affects versions up to and including 1.0 of the plugin, with the initial disclosure made on January 16, 2025. The security researcher SOPROBRO identified this vulnerability, which allows authenticated users with contributor-level access or higher to perform stored XSS attacks (WPScan, Patchstack).

The vulnerability stems from insufficient input sanitization and output escaping in the Nite Shortcodes plugin. It has been assigned a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected content. This could enable malicious actors to inject scripts for redirects, advertisements, and other HTML payloads that execute when guests visit the affected site (Patchstack).

As of the vulnerability disclosure, no official fix is available for this security issue. The vulnerability is considered to have a low severity impact and is unlikely to be exploited, according to the assessment (Patchstack).