CVE-2025-4126 – EG-Series <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

https://notcve.org/view.php?id=CVE-2025-4126

14 May 2025 — The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenev... • https://plugins.trac.wordpress.org/browser/eg-series/trunk/lib/eg-plugin.inc.php#L546 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •