CVE-2025-12661 – The Pollcaster Shortcode Plugin for WordPress h... (How to Fix)

📋 TL;DR

The Pollcaster Shortcode Plugin for WordPress has a stored XSS vulnerability in the 'height' parameter of its shortcode. Authenticated attackers with contributor-level access or higher can inject malicious scripts that execute when users view affected pages. All versions up to and including 1.0 are vulnerable.

💻 Affected Systems

Products:

Pollcaster Shortcode Plugin for WordPress

Versions: All versions ≤ 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with plugin enabled. Contributor-level access or higher needed for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers with contributor access inject malicious scripts to steal user session cookies or display phishing content to visitors.

🟢

If Mitigated

With proper user role management and content review, impact is limited to potential defacement of specific pages.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://wordpress.org/plugins/pollcaster-shortcode/

Restart Required: No

Instructions:

1. Remove the Pollcaster Shortcode Plugin
2. Delete all posts/pages containing pollcaster shortcodes
3. Consider alternative polling plugins

🔧 Temporary Workarounds

Disable Plugin

all

Deactivate and remove the vulnerable plugin

wp plugin deactivate pollcaster-shortcode
wp plugin delete pollcaster-shortcode

Restrict User Roles

all

Limit contributor-level access to trusted users only

🧯 If You Can't Patch

Implement strict content review process for all posts/pages from contributors
Add WAF rules to block XSS payloads in post content

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Pollcaster Shortcode version. If version ≤ 1.0, you're vulnerable.

Check Version:

wp plugin get pollcaster-shortcode --field=version

Verify Fix Applied:

Confirm plugin is removed and no posts contain [pollcaster] shortcodes.

📡 Detection & Monitoring

Log Indicators:

Unusual post edits by contributor users
Posts containing suspicious height parameters in pollcaster shortcodes

Network Indicators:

Outbound connections to suspicious domains from your WordPress site

SIEM Query:

source="wordpress" AND (event="post_edit" AND user_role="contributor" AND content LIKE "%[pollcaster%height=%")

📊 Metadata

CVE ID: CVE-2025-12661

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (12.8th percentile)

Published: November 21, 2025

Last Updated: November 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12661, you might also want to check these: