CVE-2025-0512
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious JavaScript via the Structured Content plugin's shortcode. The injected scripts execute whenever other users view affected pages, enabling session hijacking, content defacement, or credential theft. All WordPress sites using this plugin up to version 6.4.5 are affected.
💻 Affected Systems
- WordPress Structured Content (JSON-LD) plugin
📦 What is this software?
Structured Content by Wpsc Plugin
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, or redirect visitors to malicious sites, potentially leading to complete site compromise and data breaches.
Likely Case
Malicious contributors inject scripts to display unwanted ads, redirect users, or steal session cookies from visitors, leading to reputation damage and potential credential theft.
If Mitigated
With proper user access controls and content review processes, the impact is limited to potential content defacement on specific pages where malicious shortcodes are used.
🎯 Exploit Status
Exploitation requires contributor-level WordPress access; technical details and vulnerable code are publicly available in the references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.6 or later
Vendor Advisory: https://wordpress.org/plugins/structured-content/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Structured Content (JSON-LD)'
4. Click 'Update Now' if update is available
5. Alternatively, download version 6.4.6+ from WordPress plugin repository and manually update
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the sc_fs_local_business shortcode functionality
Add to theme's functions.php: remove_shortcode('sc_fs_local_business');
Restrict user roles
allTemporarily restrict contributor-level users from creating or editing posts
Use WordPress role management plugins or custom code to modify capabilities
🧯 If You Can't Patch
- Implement strict content review process for all posts/pages created by contributor-level users
- Install and configure a Web Application Firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Structured Content plugin version 6.4.5 or earlierCheck Version:
wp plugin list --name='structured-content' --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin version is 6.4.6 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode usage in post revisions
- Multiple post edits by contributor users in short timeframe
Network Indicators:
- JavaScript payloads in POST requests to wp-admin/post.php
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/post.php" OR uri_path="/wp-admin/admin-ajax.php") AND (http_method="POST") AND (content LIKE "%sc_fs_local_business%" OR content LIKE "%<script>%")🔗 References
- https://plugins.trac.wordpress.org/browser/structured-content/trunk/templates/shortcodes/local-business.php#L10
- https://plugins.trac.wordpress.org/changeset/3248930/
- https://wordpress.org/plugins/structured-content/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8ac5fe69-7885-4fb7-8107-079216d6955e?source=cve
