Security Alert Summary
The Responsive Plus WordPress plugin prior to 3.4.3 contains an arbitrary shortcode execution vulnerability. An unauthenticated user can trigger the plugin’s AJAX action update_responsive_woo_free_shipping_left_shortcode which does not properly validate the content_rech_data parameter before processing it as a shortcode. This can allow injection and execution of shortcodes by remote attackers.
CVE Details
- CVE ID: CVE-2025-15488
- Affected component: Responsive Plus WordPress plugin
- Affected versions: Versions before 3.4.3
- Published: March 26, 2026, 7:16 AM UTC
- Last modified: March 26, 2026, 3:13 PM UTC
- CVSS v3.1 (base score): 6.5 (MEDIUM)
- CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
- Authentication / Privileges / User interaction: No authentication required; privileges required: none; user interaction: none
- Primary impact: Confidentiality: None; Integrity: Low; Availability: Low
- CWE / weakness: Not provided
Technical Details
The vulnerability exists because the plugin exposes an AJAX action named update_responsive_woo_free_shipping_left_shortcode that accepts a parameter called content_rech_data. The plugin processes the value of this parameter as a shortcode without proper validation or sanitization. Because the AJAX action can be invoked by unauthenticated users, a remote attacker can supply crafted input that will be executed as a shortcode by the site.
The practical effect is the injection and execution of shortcode-driven content or functionality. Depending on the shortcodes available in the site environment, this can alter rendered content or trigger plugin/theme behavior, consistent with the CVSS impact of low integrity and low availability effects. The issue does not indicate direct confidentiality impact in the provided data.
How This Could Impact Your Website
Consider a small WordPress site where the site owner manages settings, internal staff create content, and an external contractor contributes plugin or theme code. An unauthenticated attacker could submit malicious shortcode content via the vulnerable AJAX endpoint, which may result in unexpected changes to public-facing pages or trigger behaviors from other shortcodes and plugins. This can lead to misleading or altered page content and intermittent functionality problems consistent with low integrity and availability impact.
Such injected content could be used to present misleading information or to host links that facilitate social engineering. It does not, per the provided data, imply disclosure of confidential site data. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin to version 3.4.3 or later as soon as that version is available for your site.
- Review and reduce unnecessary user roles, especially contributors and accounts with publishing privileges.
- Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
- Remove unused or unmaintained plugins and themes from the site.
- Monitor site activity and logs for unusual or unexpected AJAX requests and content changes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
