{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11769", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-14T22:06:20.660Z", "datePublished": "2025-11-13T08:27:48.069Z", "dateUpdated": "2026-04-08T17:29:43.901Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:43.901Z"}, "affected": [{"vendor": "aumsrini", "product": "WordPress Content Flipper", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WordPress Content Flipper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bgcolor' shortcode attribute of the 'flipper_front' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WordPress Content Flipper <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4d591a6-4bbe-435b-aef6-ed176c42dca2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-flipper/tags/0.1/wp-flipper.php#L144"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-flipper/tags/0.1/wp-flipper.php#L258"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-11-12T20:24:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-13T18:12:32.188595Z", "id": "CVE-2025-11769", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T18:12:37.091Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11769", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-13T18:12:32.188595Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T18:12:34.541Z"}}], "cna": {"title": "WordPress Content Flipper <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "aumsrini", "product": "WordPress Content Flipper", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-12T20:24:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4d591a6-4bbe-435b-aef6-ed176c42dca2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-flipper/tags/0.1/wp-flipper.php#L144"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-flipper/tags/0.1/wp-flipper.php#L258"}], "descriptions": [{"lang": "en", "value": "The WordPress Content Flipper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bgcolor' shortcode attribute of the 'flipper_front' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:43.901Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11769", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:43.901Z", "dateReserved": "2025-10-14T22:06:20.660Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-13T08:27:48.069Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WordPress Content Flipper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bgcolor' shortcode attribute of the 'flipper_front' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11769", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-13T09:15:46.820", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-flipper/tags/0.1/wp-flipper.php#L144"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-flipper/tags/0.1/wp-flipper.php#L258"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4d591a6-4bbe-435b-aef6-ed176c42dca2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:38:10.695737+00:00", "value": {"mitigation_remediation": ["Update the WordPress Content Flipper plugin to a version newer than 0.1 that removes the vulnerable bgcolor attribute handling", "If an update is not immediately possible, remove or disable the flipper_front shortcode from usable content or restrict its use to administrators only", "Add a Content Security Policy that blocks inline scripts or disallows execution of scripts from untrusted sources"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has installed the WordPress Content Flipper plugin version 0.1 or earlier is affected. The vendor listed in the CNA data is aumsrini, and the insecure plugin is loaded as a WordPress plugin on the site.", "description_and_impact": "The WordPress Content Flipper plugin allows authenticated attackers with contributor\u2011level or higher access to inject arbitrary JavaScript through the bgcolor attribute of the flipper_front shortcode. Because the attribute is stored without proper sanitization or escaping, the injected script runs in the browser of any user who views the affected page, enabling malicious actions such as cookie theft, session hijacking, or further cross\u2011site attacks. The weakness is a classic stored cross\u2011site scripting flaw (CWE\u201179).", "risk_and_exploitability": "The vulnerability scores a CVSS base score of 6.4, indicating a moderate severity. The EPSS score is less than 1%, suggesting that exploitation is unlikely in the near term. It is not listed in the CISA KEV catalog. The attack vector is authenticated: an attacker must first gain contributor or higher access to the WordPress site, after which the malicious script is injected into stored content and executed by any visitor to that page. No additional system prerequisites are required beyond the normal WordPress installation and exposed shortcode functionality."}}}}, "created": "2025-11-13T15:50:08.895950+00:00", "updated": "2026-04-21T01:45:24.440348+00:00", "vendors": ["aumsrini", "aumsrini$PRODUCT$wordpress_content_flipper", "wordpress", "wordpress$PRODUCT$wordpress"]}