CVE-2025-2803: 
WordPress vulnerability analysis and mitigation

The So-Called Air Quotes plugin for WordPress has been identified with vulnerability CVE-2025-2803, discovered and disclosed on March 29, 2025. The vulnerability affects all versions up to and including 0.1, allowing arbitrary shortcode execution. The plugin has been temporarily closed as of March 27, 2025, pending a full security review (NVD, WordPress Plugin).

The vulnerability stems from improper validation of values before running do_shortcode function, which allows unauthenticated attackers to execute arbitrary shortcodes. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The weakness has been classified as CWE-94 (Improper Control of Generation of Code) (NVD).

The vulnerability enables unauthenticated attackers to execute arbitrary shortcodes, potentially leading to unauthorized code execution on affected WordPress installations. This could result in compromised website functionality, data exposure, and potential system manipulation (NVD).

The plugin has been temporarily closed and removed from the WordPress plugin repository as of March 27, 2025, pending a full security review. Users are advised to remove the plugin from their WordPress installations until a patched version becomes available (WordPress Plugin).