{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13884", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-02T14:34:47.305Z", "datePublished": "2025-12-12T03:20:52.766Z", "dateUpdated": "2026-04-08T17:13:39.383Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:39.383Z"}, "affected": [{"vendor": "buntegiraffe", "product": "Hide Email Address", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Hide Email Address plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'inline_css' parameter in the `bg-hide-email-address` shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Hide Email Address <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a770ab37-127a-4018-9ffa-1b326d5a016e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bg-hide-email-address/trunk/BgHideEmailAddress.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/bg-hide-email-address/tags/0.1/BgHideEmailAddress.php#L101"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-12-11T14:24:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T15:01:32.382777Z", "id": "CVE-2025-13884", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T15:01:46.704Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13884", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T15:01:32.382777Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T15:01:41.185Z"}}], "cna": {"title": "Hide Email Address <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "buntegiraffe", "product": "Hide Email Address", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:24:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a770ab37-127a-4018-9ffa-1b326d5a016e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bg-hide-email-address/trunk/BgHideEmailAddress.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/bg-hide-email-address/tags/0.1/BgHideEmailAddress.php#L101"}], "descriptions": [{"lang": "en", "value": "The Hide Email Address plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'inline_css' parameter in the `bg-hide-email-address` shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:39.383Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13884", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:39.383Z", "dateReserved": "2025-12-02T14:34:47.305Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:52.766Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Hide Email Address plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'inline_css' parameter in the `bg-hide-email-address` shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-13884", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:43.133", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bg-hide-email-address/tags/0.1/BgHideEmailAddress.php#L101"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bg-hide-email-address/trunk/BgHideEmailAddress.php#L101"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a770ab37-127a-4018-9ffa-1b326d5a016e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:31:36.191001+00:00", "value": {"mitigation_remediation": ["Upgrade the Hide Email Address plugin to the latest available version, which removes the inline_css sanitization flaw.", "If no update is available, disable the Hide Email Address plugin or delete posts that contain its shortcode to eliminate the vector.", "Adjust WordPress role permissions so that Contributor and higher users cannot edit content that includes the hide\u2011email shortcode, limiting the ability to inject malicious scripts."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting via the inline_css shortcode parameter, allowing authenticated Contributor-level users to inject scripts that run in any user\u2019s browser when they view affected pages."}, "threat_synthesis": {"affected_systems": "The vulnerability affects the buntegiraffe Hide Email Address WordPress plugin, versions up to and including 0.1. No other products or versions are listed as affected.", "description_and_impact": "The Hide Email Address plugin for WordPress includes a stored cross\u2011site scripting vulnerability that is triggered by submitting malicious content to the inline_css attribute of its shortcode. An attacker who can add or edit posts with contributor or higher privileges can place arbitrary JavaScript in the inline_css field; when any user views the page, the payload executes with the user\u2019s browser context. This can lead to session hijacking, content injection, or defacement of the site, representing a serious threat to confidentiality, integrity, and availability of the website\u2019s content and user sessions.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity while the EPSS score of less than 1% shows a low probability of exploitation at this time. The vulnerability is not in the CISA KEV catalog. Exploitation requires that the attacker has authenticated access with Contributor or higher privileges, which is a moderate access requirement. Once achieved, the exploit is straightforward: submit malicious code via the inline_css attribute and rely on its execution in subsequent page views. The risk is mitigated by a lack of a public exploit, but the presence of the vulnerability in a widely used plugin warrants prompt remediation."}}}}, "created": "2025-12-12T08:48:27.027870+00:00", "updated": "2026-04-20T21:45:18.953653+00:00", "vendors": ["buntegiraffe", "buntegiraffe$PRODUCT$hide_email_address", "wordpress", "wordpress$PRODUCT$wordpress"]}