CVE-2025-8684 in Flatsome Plugin
Summary
by MITRE • 09/05/2025
The Flatsome Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.20.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/05/2025
The Flatsome Theme for WordPress represents one of the most widely used premium themes in the wordpress ecosystem with over 100000 installations reported. This vulnerability affects all versions up to and including 3.20.0 which exposes a critical security flaw in the theme's shortcode implementation. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or escape user-supplied attributes before rendering them within web pages. This flaw specifically targets the theme's shortcode functionality where malicious actors can inject malicious scripts through carefully crafted shortcode parameters.
The technical nature of this vulnerability places it squarely within the category of stored cross-site scripting attacks as defined by cwe-079 which focuses on improper neutralization of input during web page generation. The vulnerability requires minimal privileges to exploit as it targets authenticated attackers with contributor-level access or higher, making it particularly dangerous in environments where multiple users have editing capabilities. This access level typically includes authors, editors, and administrators who can create and modify content, making the attack surface significantly broader than typical xss vulnerabilities that require more privileged access. The attack vector operates through shortcode attributes where user-provided data flows directly into the page rendering process without proper sanitization.
The operational impact of this vulnerability is substantial as it allows attackers to execute arbitrary web scripts in the context of any user who accesses pages containing the malicious shortcodes. This creates a persistent threat that can compromise user sessions, steal cookies, redirect users to malicious sites, or even perform administrative actions on behalf of victims. The stored nature of the vulnerability means that once the malicious shortcode is injected into the system, it will continue to execute every time any user accesses the affected pages until manually removed. This makes it particularly effective for maintaining persistent access within compromised systems. The vulnerability affects not just individual users but can potentially impact entire websites and their visitor base, especially in multi-user environments where content is frequently edited by multiple contributors.
Mitigation strategies for this vulnerability should focus on immediate remediation through theme updates to versions that properly sanitize shortcode attributes and implement proper output escaping. Organizations should also implement additional security measures such as restricting contributor-level access to only necessary content creation capabilities, implementing content security policies, and monitoring for suspicious shortcode usage. The vulnerability demonstrates the critical importance of proper input validation and output escaping in web applications as outlined in the owasp top ten project and attack techniques documented in the mitre att&ck framework under the web application attacks category. Regular security audits and penetration testing should include verification of shortcode implementations and other user input handling mechanisms to prevent similar vulnerabilities from being introduced in future versions of themes and plugins.