CVE-2025-4126: 
WordPress vulnerability analysis and mitigation

The EG-Series plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-4126) affecting all versions up to and including 2.1.1. The vulnerability was discovered on May 15, 2025, and exists in the plugin's [series] shortcode functionality due to insufficient input sanitization and output escaping on user-supplied attributes in the shortcode_title function (NVD, Wiz).

The vulnerability is classified as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) with a CVSS v3.1 Base Score of 6.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue specifically affects the shortcode_title function's handling of the titletag attribute, where insufficient sanitization allows for JavaScript code injection (NVD, Wiz).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code through the titletag attribute. The injected code will execute whenever a user accesses the affected page. This is particularly concerning on sites where the Classic Editor plugin is activated (NVD).

Site administrators should update the EG-Series plugin to a version newer than 2.1.1 once available. Until then, it is recommended to review and limit contributor access to the plugin's shortcode functionality (Wiz).