Stored Cross-Site Scripting Vulnerability in Uncode Core Plugin for WordPress
CVE-2025-6944

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Uncode Core
Vendor: CVE Published:; 4 July 2025

What is CVE-2025-6944?

The Uncode Core plugin for WordPress is impacted by a Stored Cross-Site Scripting vulnerability that arises from inadequate input sanitization and output escaping. This vulnerability specifically affects the plugin's 'uncode_hl_text' and 'uncode_text_icon' shortcodes. Authenticated users with contributor-level access or higher can exploit this issue to inject malicious web scripts into pages. These scripts will execute in the browsers of users accessing the compromised pages, putting their data at risk. Website administrators are urged to restrict access and ensure the plugin is updated to safeguard against this exploit.

Affected Version(s)

Uncode Core * <= 2.9.4.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://support.undsgn.com/hc/en-us/articles/213454129-Ch...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 4, 2025
Vulnerability Reserved
Jun 30, 2025

Credit

Matthew Rollings