Vulnerability-Lookup

CNVD-2025-17272

Vulnerability from cnvd - Published: 2025-07-31

Title

WordPress structured content跨站脚本漏洞

Description

WordPress structured content是一种通过优化网页元素（如标题、描述、图片等）的语义化标记，提升搜索引擎对页面内容的理解能力，从而改善搜索结果展示和点击率的技术。 WordPress structured content存在跨站脚本漏洞，该漏洞源于输入清理和输出转义不足，攻击者可利用该漏洞通过跨站脚本攻击，篡改网页内容，误导用户。

Severity

中

Formal description

目前厂商尚未发布升级程序修复该安全问题，详情见厂商官网： https://wordpress.org/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-4608

Impacted products

Name
WordPress structured content <=1.6.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-4608",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-4608"
    }
  },
  "description": "WordPress structured content\u662f\u4e00\u79cd\u901a\u8fc7\u4f18\u5316\u7f51\u9875\u5143\u7d20\uff08\u5982\u6807\u9898\u3001\u63cf\u8ff0\u3001\u56fe\u7247\u7b49\uff09\u7684\u8bed\u4e49\u5316\u6807\u8bb0\uff0c\u63d0\u5347\u641c\u7d22\u5f15\u64ce\u5bf9\u9875\u9762\u5185\u5bb9\u7684\u7406\u89e3\u80fd\u529b\uff0c\u4ece\u800c\u6539\u5584\u641c\u7d22\u7ed3\u679c\u5c55\u793a\u548c\u70b9\u51fb\u7387\u7684\u6280\u672f\u3002\n\nWordPress structured content\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8f93\u5165\u6e05\u7406\u548c\u8f93\u51fa\u8f6c\u4e49\u4e0d\u8db3\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u8de8\u7ad9\u811a\u672c\u653b\u51fb\uff0c\u7be1\u6539\u7f51\u9875\u5185\u5bb9\uff0c\u8bef\u5bfc\u7528\u6237\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://wordpress.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-17272",
  "openTime": "2025-07-31",
  "products": {
    "product": "WordPress structured content \u003c=1.6.4"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-4608",
  "serverity": "\u4e2d",
  "submitTime": "2025-07-30",
  "title": "WordPress structured content\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2025-4608 (GCVE-0-2025-4608)

Vulnerability from cvelistv5 – Published: 2025-07-24 09:22 – Updated: 2025-07-24 13:13

Title

Structured Content <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via sc_fs_local_business Shortcode

Summary

The Structured Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_fs_local_business shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity ?

6.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

Wordfence

References

URL

Tags

	https://www.wordfence.com/threat-intel/vulnerabil…
	https://wordpress.org/plugins/structured-content/…
	https://plugins.trac.wordpress.org/browser/struct…
	https://plugins.trac.wordpress.org/browser/struct…

Impacted products

	Vendor	Product	Version
	codemacher	Structured Content (JSON-LD) #wpsc	Affected: * , ≤ 1.6.4 (semver)

Credits

muhammad yudha

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4608",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-24T13:13:48.683645Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-24T13:13:52.396Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Structured Content (JSON-LD) #wpsc",
          "vendor": "codemacher",
          "versions": [
            {
              "lessThanOrEqual": "1.6.4",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "muhammad yudha"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Structured Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s sc_fs_local_business shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-24T09:22:20.909Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8c60701-37f0-4404-b965-9136ac456e38?source=cve"
        },
        {
          "url": "https://wordpress.org/plugins/structured-content/#developers"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/structured-content/tags/1.6.4/templates/shortcodes/local-business.php"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/structured-content/tags/1.6.4/class-structuredcontent.php#L188"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-07-23T20:37:40.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "Structured Content \u003c= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via sc_fs_local_business Shortcode"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-4608",
    "datePublished": "2025-07-24T09:22:20.909Z",
    "dateReserved": "2025-05-12T20:00:42.686Z",
    "dateUpdated": "2025-07-24T13:13:52.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-17272

CVE-2025-4608 (GCVE-0-2025-4608)

Tags

Sightings

Nomenclature