{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13899", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-02T16:14:03.217Z", "datePublished": "2025-12-06T05:49:28.523Z", "dateUpdated": "2026-04-08T16:58:12.779Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:12.779Z"}, "affected": [{"vendor": "pntrinh", "product": "TR Timthumb", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "TR Timthumb <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/675bf571-eb8b-4c72-9852-b3a2b37b9a04?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tr-timthumb/trunk/inc/front.php#L39"}, {"url": "https://plugins.trac.wordpress.org/browser/tr-timthumb/tags/1.0.4/inc/front.php#L39"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-12-05T16:45:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-08T21:14:03.364133Z", "id": "CVE-2025-13899", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:14:17.545Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13899", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-08T21:14:03.364133Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:14:11.109Z"}}], "cna": {"title": "TR Timthumb <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "pntrinh", "product": "TR Timthumb", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-05T16:45:55.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/675bf571-eb8b-4c72-9852-b3a2b37b9a04?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tr-timthumb/trunk/inc/front.php#L39"}, {"url": "https://plugins.trac.wordpress.org/browser/tr-timthumb/tags/1.0.4/inc/front.php#L39"}], "descriptions": [{"lang": "en", "value": "The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:12.779Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13899", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:58:12.779Z", "dateReserved": "2025-12-02T16:14:03.217Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-06T05:49:28.523Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-13899", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-06T06:15:53.537", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tr-timthumb/tags/1.0.4/inc/front.php#L39"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tr-timthumb/trunk/inc/front.php#L39"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/675bf571-eb8b-4c72-9852-b3a2b37b9a04?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:39:23.286162+00:00", "value": {"mitigation_remediation": ["Update the TR Timthumb plugin to a version newer than 1.0.4.", "Remove or sanitize any shortcodes containing untrusted attributes in legacy content that remains on the site.", "Revoke Contributor\u2011level privileges for users who can edit content until the plugin update is applied."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the TR Timthumb WordPress plugin, specifically all releases up to and including version\u202f1.0.4. Sites running any of these versions and permitting Contributor or higher roles are at risk.", "description_and_impact": "The TR Timthumb plugin for WordPress is vulnerable to Stored Cross\u2011Site Scripting through shortcode attributes in all versions up to 1.0.4 because the plugin does not adequately sanitize input or escape output. An attacker who has Contributor\u2011level access or higher can insert malicious scripts into a page that will run whenever any user visits that page, potentially stealing credentials or performing other client\u2011side attacks.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate risk, while the EPSS score of less than 1\u202f% suggests that real\u2011world exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with Contributor level or higher; from that position an attacker can inject scripts that execute in every visitor's browser, compromising confidentiality, integrity, and potentially availability of the affected site."}}}}, "created": "2025-12-08T09:39:39.029351+00:00", "updated": "2026-04-21T17:45:16.485961+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}