WordPress Security Bulletin: Display During Conditional Shortcode Plugin Vulnerability (CVE-2025-6460)

On this page

Security Alert Summary

The Display During Conditional Shortcode plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the message parameter in all versions up to and including 1.2. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages; those scripts execute whenever a user accesses an injected page.


CVE Details

  • CVE ID: CVE-2025-6460
  • Affected plugin / component: Display During Conditional Shortcode plugin for WordPress
  • Affected versions: All versions up to and including 1.2
  • Published: February 18, 2026, 5:16:18 AM
  • Last modified: February 18, 2026, 5:16:18 AM
  • CVSS v3.1: Base score 6.4 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: Authentication required; privileges required: Contributor-level access or higher (CVSS: Privileges Required = Low); user interaction: None
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • Scope: Changed
  • CWE / weakness: CWE-79 (Cross-site Scripting)
  • Patched / fixed version: Not specified in the CVE entry

Technical Details

The vulnerability is a stored cross-site scripting issue that arises from insufficient input sanitization and output escaping of the message parameter. According to the CVE description, an authenticated user with Contributor-level access or higher can submit content that includes malicious script content in the message field. Because the plugin does not properly sanitize or escape that input before storing and rendering it, the injected script is persisted and will execute each time a user views the affected page.

The CVE description does not name specific internal functions or REST endpoints beyond the message parameter. The core technical cause is the lack of appropriate input validation and output escaping for user-supplied content, which allows arbitrary script execution in the context of site visitors’ browsers. The measurable impact per the CVSS vector is limited to confidentiality and integrity (both low); availability is not impacted.


How This Could Impact Your Website

In a typical small-to-medium WordPress site, a contributor, an external contractor, or a compromised account with Contributor-level permissions could add or edit content that includes a malicious payload in the message parameter. When site owners, editors, or other staff view the injected page, the script can run in their browsers and may access information available to those users in the page context. Practical consequences include exposure of data visible to affected users (for example, contact details or other information displayed on pages) and an increased risk of targeted phishing or social engineering campaigns that leverage content rendered from the site.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available (patched version not specified in the CVE entry).
  • Review and reduce unnecessary user roles and privileges, especially Contributor-level accounts.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from the site.
  • Monitor site activity and logs for unusual behavior, such as unexpected content changes or newly created pages.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References