{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14049", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T16:54:45.261Z", "datePublished": "2025-12-12T07:20:34.804Z", "dateUpdated": "2026-04-08T16:52:36.499Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:36.499Z"}, "affected": [{"vendor": "e4jvikwp", "product": "VikRentItems Flexible Rental Management System", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "VikRentItems Flexible Rental Management System <= 1.2.0 - Reflected Cross-Site Scripting via 'delto' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51b56dc5-0d2d-4fa9-872c-4193f61c165f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vikrentitems/trunk/site/views/deliverymap/tmpl/default.php#L277"}, {"url": "https://plugins.trac.wordpress.org/browser/vikrentitems/tags/1.2.0/site/views/deliverymap/tmpl/default.php#L277"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3414595%40vikrentitems&new=3414595%40vikrentitems&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-04T17:09:57.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-11T19:11:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T20:44:48.164853Z", "id": "CVE-2025-14049", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T20:44:59.708Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14049", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T20:44:48.164853Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T20:44:54.115Z"}}], "cna": {"title": "VikRentItems Flexible Rental Management System <= 1.2.0 - Reflected Cross-Site Scripting via 'delto' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "e4jvikwp", "product": "VikRentItems Flexible Rental Management System", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T17:09:57.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-11T19:11:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51b56dc5-0d2d-4fa9-872c-4193f61c165f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vikrentitems/trunk/site/views/deliverymap/tmpl/default.php#L277"}, {"url": "https://plugins.trac.wordpress.org/browser/vikrentitems/tags/1.2.0/site/views/deliverymap/tmpl/default.php#L277"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3414595%40vikrentitems&new=3414595%40vikrentitems&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:36.499Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14049", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:52:36.499Z", "dateReserved": "2025-12-04T16:54:45.261Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T07:20:34.804Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "id": "CVE-2025-14049", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T08:15:47.663", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/vikrentitems/tags/1.2.0/site/views/deliverymap/tmpl/default.php#L277"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/vikrentitems/trunk/site/views/deliverymap/tmpl/default.php#L277"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3414595%40vikrentitems&new=3414595%40vikrentitems&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51b56dc5-0d2d-4fa9-872c-4193f61c165f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:14:28.919383+00:00", "value": {"mitigation_remediation": ["Upgrade the VikRentItems plugin to the latest version available, ensuring that the version is greater than 1.2.0.", "If an immediate upgrade is not feasible, configure the WordPress instance to block or sanitize the 'delto' parameter, for example by using a security plugin that strips or escapes user\u2011supplied data in URLs.", "Deploy a web application firewall (WAF) or enable a CSRF/XSS protection plugin to detect and mitigate reflected XSS attempts before they reach the browser."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The issue affects the VikRentItems Flexible Rental Management System plugin for WordPress, specifically all releases up to and including version 1.2.0. Users running a WordPress site with this plugin installed are susceptible; no other vendors or products are implicated by the available data.", "description_and_impact": "The vulnerability is an instance of Reflected Cross\u2011Site Scripting, originating from insufficient input sanitization and output escaping of the 'delto' parameter. It allows an unauthenticated attacker to inject arbitrary JavaScript into web pages that the victim's browser will render, potentially enabling phishing, credential theft, or malicious script execution. The weakness aligns with CWE\u201179 and can compromise user data and trust in the website.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in CISA KEV, implying no confirmed large\u2011scale attacks yet. If an attacker can lure a user to interact with a specially crafted URL containing a malicious 'delto' payload, the XSS will occur on the victim's browser. The lack of authentication requirement and the reflected nature of the flaw make this an easily exploitable vector for phishing or script injection."}}}}, "created": "2025-12-14T21:16:23.363866+00:00", "updated": "2026-04-22T00:15:03.777642+00:00", "vendors": ["e4jvikwp", "e4jvikwp$PRODUCT$vikrentitems_flexible_rental_management_system", "wordpress", "wordpress$PRODUCT$wordpress"]}