CVE-2025-47673: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Arconix Shortcodes WordPress plugin, tracked as CVE-2025-47673. The vulnerability was discovered by Peter Thaleikis and publicly disclosed on May 16, 2025. This security issue affects versions of Arconix Shortcodes through 2.1.16, developed by tychesoftwares (Patchstack, NVD).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has been assigned a CVSS v3.1 base score of 7.1 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is characterized by its network attack vector, low attack complexity, and no required privileges, though it does require user interaction (Wiz).

When exploited, this vulnerability allows malicious actors to inject malicious scripts into affected websites. These injected scripts can include redirects, advertisements, and other HTML payloads that will be executed when guests visit the compromised site (Patchstack).

Users are advised to update to version 2.1.17 or later to resolve the vulnerability. For Patchstack users, a virtual patch has been issued to mitigate this issue by blocking any attacks until the update can be applied. Users can also enable auto-update for vulnerable plugins (Patchstack).