CVE-2025-6460

Published
View on NVD ↗
CVSS v3
6.4
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT

Description

The Display During Conditional Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Display During Conditional Shortcode
Display During Conditional Shortcode
<p>Display content conditionally based on a schedule. Choose from three scheduling modes:</p> <ol> <li><strong>Date Range</strong> &#8211; Show content between specific start and end dates</li> <li><strong>Recurring</strong> &#8211; Show content on specific days of the week during a time window</li> <li><strong>Custom</strong> &#8211; Use PHP strtotime expressions for flexible scheduling</li> </ol> <h4>Gutenberg Block</h4> <p>The <strong>Display During</strong> block provides a visual editor with:</p> <ul> <li>Sidebar controls for all three scheduling modes</li> <li>Date/time pickers for start and end dates</li> <li>Day-of-week checkboxes for recurring schedules</li> <li>Live status indicator (active/inactive)</li> <li>Optional fallback message when content is hidden</li> <li>Copy as Shortcode toolbar button</li> </ul> <h4>Shortcodes</h4> <p>The <code>[display_during]</code> shortcode works in the Classic Editor and anywhere shortcodes are supported.</p> <p><strong>Date range:</strong><br /> [display_during start_day_time=&#8221;June 1, 2026 8:00 am&#8221; end_day_time=&#8221;December 31, 2026 11:59 pm&#8221;]Content here[/display_during]</p> <p><strong>Recurring schedule (new in 2.0):</strong><br /> [display_during days=&#8221;mon,wed,fri&#8221; start_time=&#8221;09:00&#8243; end_time=&#8221;17:00&#8243;]Office hours content[/display_during]</p> <p><strong>Custom strtotime:</strong><br /> [display_during start_day_time=&#8221;Sun 8:00 am&#8221; end_day_time=&#8221;Mon 8:00 pm&#8221;]Weekend content[/display_during]</p> <p><strong>With fallback message:</strong><br /> [display_during end_day_time=&#8221;June 1, 2026&#8243;]Register now![display_during_message]Registration has closed.[/display_during_message][/display_during]</p> <h4>Shortcode Parameters</h4> <ul> <li><code>start_day_time</code> &#8211; When to start showing content (strtotime string or date)</li> <li><code>end_day_time</code> &#8211; When to stop showing content</li> <li><code>days</code> &#8211; Comma-separated days for recurring mode (mon,tue,wed,thu,fri,sat,sun)</li> <li><code>start_time</code> &#8211; Start time for recurring mode (HH:MM format)</li> <li><code>end_time</code> &#8211; End time for recurring mode (HH:MM format)</li> <li><code>timezone_location</code> &#8211; PHP timezone identifier (defaults to site timezone)</li> <li><code>message</code> &#8211; Plain text fallback message (legacy; use nested shortcode for rich content)</li> </ul>
WordPress Plugin DirectoryWordPress Plugin Directory
4.82K