{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0820", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-01-28T23:09:50.400Z", "datePublished": "2025-03-01T04:21:47.812Z", "dateUpdated": "2026-04-08T16:40:39.999Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:39.999Z"}, "affected": [{"vendor": "clicface", "product": "Clicface Trombi", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.08", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Clicface Trombi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018nom\u2019 parameter in all versions up to, and including, 2.08 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Clicface Trombi <= 2.08 - Authenticated (Contributor+) Stored Cross-Site Scripting via nom Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d9ff834-8a11-4ec7-9371-15d56bc84106?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/clicface-trombi/trunk/clicface-trombi.php#L80"}, {"url": "https://wordpress.org/plugins/clicface-trombi/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "SOPROBRO"}], "timeline": [{"time": "2025-02-28T15:27:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-03T16:01:09.411295Z", "id": "CVE-2025-0820", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T17:39:07.564Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0820", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-03T16:01:09.411295Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T16:01:10.893Z"}}], "cna": {"title": "Clicface Trombi <= 2.08 - Authenticated (Contributor+) Stored Cross-Site Scripting via nom Parameter", "credits": [{"lang": "en", "type": "finder", "value": "SOPROBRO"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "clicface", "product": "Clicface Trombi", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.08"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-28T15:27:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d9ff834-8a11-4ec7-9371-15d56bc84106?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/clicface-trombi/trunk/clicface-trombi.php#L80"}, {"url": "https://wordpress.org/plugins/clicface-trombi/#developers"}], "descriptions": [{"lang": "en", "value": "The Clicface Trombi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018nom\u2019 parameter in all versions up to, and including, 2.08 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:39.999Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0820", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:40:39.999Z", "dateReserved": "2025-01-28T23:09:50.400Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-01T04:21:47.812Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Clicface Trombi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018nom\u2019 parameter in all versions up to, and including, 2.08 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Clicface Trombi para WordPress es vulnerable a cross site scripting almacenado a trav\u00e9s del par\u00e1metro 'nom' en todas las versiones hasta la 2.08 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten secuencias de comandos web arbitrarias en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-0820", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-01T05:15:15.953", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/clicface-trombi/trunk/clicface-trombi.php#L80"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/clicface-trombi/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d9ff834-8a11-4ec7-9371-15d56bc84106?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T03:32:36.048860+00:00", "value": {"mitigation_remediation": ["Update Clicface Trombi to version 2.09 or later, which removes the stored XSS flaw.", "If an immediate update is not possible, revoke or tighten Contributor and higher role capabilities that allow modification of the plugin\u2019s fields, thereby preventing new injections.", "As a temporary safeguard, deploy a web\u2011application firewall or output filter that blocks stored JavaScript in plugin pages until the plugin can be fully updated."], "summary": {"action": "immediate patch", "impact": "stored cross-site scripting with authenticated contributors"}, "threat_synthesis": {"affected_systems": "All WordPress installations that have the Clicface Trombi plugin installed with a version equal to or lower than 2.08 are affected. The vulnerability is independent of the WordPress core version and impacts any contributor\u2011level role that can supply the nom parameter.", "description_and_impact": "The Clicface Trombi plugin, versions 2.08 and earlier, contains a stored cross\u2011site scripting flaw that allows any user with Contributor or higher access to inject arbitrary JavaScript through the \u2018nom\u2019 parameter. Because the input is neither sanitized nor properly escaped, the malicious code is persisted in the database and will execute in the browser of any visitor who loads the affected page. This can lead to session hijacking, credential theft, or defacement of the site in the context of the user viewing the page.", "risk_and_exploitability": "The CVSS v3 score of 6.4 indicates a moderate severity, but the EPSS score of less than 1% and the lack of listing in the CISA KEV catalog suggest a low likelihood of current exploitation. Because the flaw requires authenticated access, an attacker must first be able to log in with at least Contributor privileges. Once an injection is stored, any page viewed by other users will execute the malicious script. The attack vector is therefore an authenticated, web\u2011based exploitation that does not rely on network-level vulnerabilities."}}}}, "created": "2025-07-13T11:14:24.389956+00:00", "updated": "2026-04-28T03:45:20.279339+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}