Layer1-Artist

1 exploit Active since May 2025
CVE-2025-4126 NOMISEC MEDIUM WORKING POC
EG-Series <= 2.1.1 - Authenticated Stored Cross-Site Scripting via Shortcode Title Attribute
The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page.
CVSS 6.4