Search criteria
2 vulnerabilities by vikashsrivastava1111989
CVE-2025-2805 (GCVE-0-2025-2805)
Vulnerability from cvelistv5 – Published: 2025-04-10 07:02 – Updated: 2026-04-08 17:25
VLAI?
Title
ORDER POST <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution
Summary
The ORDER POST plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity ?
7.3 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| vikashsrivastava1111989 | ORDER POST |
Affected:
0 , ≤ 2.0.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2805",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T13:50:29.391007Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T14:00:17.637Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ORDER POST",
"vendor": "vikashsrivastava1111989",
"versions": [
{
"lessThanOrEqual": "2.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Avraham Shemesh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ORDER POST plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:25:34.832Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d35ea739-5ee9-4779-87d5-3f13b11229cf?source=cve"
},
{
"url": "https://plugins.svn.wordpress.org/order-post/trunk/wp_post_order.php"
},
{
"url": "https://wordpress.org/plugins/order-post/#developers"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-09T18:09:31.000Z",
"value": "Disclosed"
}
],
"title": "ORDER POST \u003c= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2805",
"datePublished": "2025-04-10T07:02:40.354Z",
"dateReserved": "2025-03-25T21:38:18.262Z",
"dateUpdated": "2026-04-08T17:25:34.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-23491 (GCVE-0-2025-23491)
Vulnerability from cvelistv5 – Published: 2025-02-03 14:22 – Updated: 2026-04-28 16:11
VLAI?
Title
WordPress VSTEMPLATE Creator plugin <= 2.0.2 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikash Srivastava VSTEMPLATE Creator vstemplate-creator allows Reflected XSS.This issue affects VSTEMPLATE Creator: from n/a through <= 2.0.2.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vikash Srivastava | VSTEMPLATE Creator |
Affected:
0 , ≤ 2.0.2
(custom)
|
Date Public ?
2026-04-01 16:32
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23491",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T16:07:28.285346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T16:34:59.453Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vstemplate-creator",
"product": "VSTEMPLATE Creator",
"vendor": "Vikash Srivastava",
"versions": [
{
"lessThanOrEqual": "2.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:32:44.473Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Vikash Srivastava VSTEMPLATE Creator vstemplate-creator allows Reflected XSS.\u003cp\u003eThis issue affects VSTEMPLATE Creator: from n/a through \u003c= 2.0.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Vikash Srivastava VSTEMPLATE Creator vstemplate-creator allows Reflected XSS.This issue affects VSTEMPLATE Creator: from n/a through \u003c= 2.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:10.705Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/vstemplate-creator/vulnerability/wordpress-vstemplate-creator-plugin-2-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress VSTEMPLATE Creator plugin \u003c= 2.0.2 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-23491",
"datePublished": "2025-02-03T14:22:41.933Z",
"dateReserved": "2025-01-16T11:25:20.560Z",
"dateUpdated": "2026-04-28T16:11:10.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}