{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10133", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-08T20:02:18.215Z", "datePublished": "2025-10-15T08:25:55.537Z", "dateUpdated": "2026-04-08T16:52:32.950Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:32.950Z"}, "affected": [{"vendor": "salamzadeh", "product": "URLYar URL Shortner", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The URLYar URL Shortner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'urlyar_shortlink' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "URLYar <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51867e4f-75be-4451-a585-87398881adf5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/urlyar/trunk/urlyar.php#L604"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-10-14T19:47:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T14:43:57.380416Z", "id": "CVE-2025-10133", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T14:44:23.833Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10133", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-15T14:43:57.380416Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T14:44:03.701Z"}}], "cna": {"title": "URLYar <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "salamzadeh", "product": "URLYar URL Shortner", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-14T19:47:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51867e4f-75be-4451-a585-87398881adf5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/urlyar/trunk/urlyar.php#L604"}], "descriptions": [{"lang": "en", "value": "The URLYar URL Shortner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'urlyar_shortlink' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:32.950Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10133", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:52:32.950Z", "dateReserved": "2025-09-08T20:02:18.215Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-15T08:25:55.537Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The URLYar URL Shortner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'urlyar_shortlink' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-10133", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-15T09:15:37.500", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/urlyar/trunk/urlyar.php#L604"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51867e4f-75be-4451-a585-87398881adf5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:06:16.445223+00:00", "value": {"mitigation_remediation": ["Upgrade the URLYar plugin to the latest available version (\u2265\u202f1.2.0), which removes the vulnerability by properly sanitizing shortcode attributes.", "If an upgrade is not possible, deactivate or uninstall the URLYar plugin to eliminate the risk of stored cross\u2011site scripting.", "As a temporary measure, limit the use of the \"urlyar_shortlink\" shortcode to administrator accounts only, restricting contributors from creating pages that store malicious scripts."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All versions of the URLYar WordPress plugin up to and including 1.1.0 are affected. The plugin is packaged by salamzadeh under the product name URLYar URL Shortener and is used in WordPress installations that include the \"urlyar_shortlink\" shortcode.", "description_and_impact": "The URLYar URL Shortener plugin for WordPress contains a stored cross\u2011site scripting flaw that arises from inadequate sanitization and escaping of the attributes supplied to its \"urlyar_shortlink\" shortcode. Because of this, authenticated users with contributor or higher roles can embed malicious JavaScript into posts or pages that the plugin renders. When other visitors load the affected page, the injected script will execute in their browsers, allowing the attacker to steal session cookies, deface content, or perform further attacks. The vulnerability is limited to users who have contributor privileges and does not allow unauthenticated access. The impact is one of data theft and possible defacement within the compromised site.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium level of severity, and the EPSS score of less than 1% suggests the likelihood of exploitation is currently very low. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers must be authenticated with contributor or higher privileges to inject the payload. Once a page containing the injected script is accessed by any visitor, the malicious code runs in the context of that user\u2019s browser, potentially compromising their data or session. Because the flaw is stored, it persists until the content is modified or the plugin is updated."}}}}, "created": "2025-10-20T13:27:07.377661+00:00", "updated": "2026-04-22T13:15:17.843612+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}