CVE-2025-4608: 
WordPress vulnerability analysis and mitigation

The Structured Content plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-4608) in versions up to and including 1.6.4. The vulnerability exists in the plugin's scfslocal_business shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This security issue was discovered and reported on July 24, 2025 (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The flaw exists in the plugin's shortcode functionality where user input is not properly sanitized before being output in pages (Wordfence).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to theft of sensitive information or manipulation of page content (NVD).

Users should update to a version newer than 1.6.4 when available. Until then, it is recommended to restrict access to the WordPress editor to trusted users only and carefully monitor content changes (WordPress Plugin).