{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14121", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T16:24:30.793Z", "datePublished": "2026-01-07T09:21:03.432Z", "dateUpdated": "2026-04-08T17:19:34.414Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:34.414Z"}, "affected": [{"vendor": "samikeijonen", "product": "EDD Download Info", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edd_download_info_link' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "EDD Download Info <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0290595-d74d-404e-9d28-75abc9055031?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/edd-download-info/trunk/includes/shortcodes.php#L43"}, {"url": "https://plugins.trac.wordpress.org/browser/edd-download-info/tags/1.1/includes/shortcodes.php#L43"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-01-06T20:33:14.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T14:33:20.339261Z", "id": "CVE-2025-14121", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T14:35:15.813Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14121", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T14:33:20.339261Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T14:35:12.295Z"}}], "cna": {"title": "EDD Download Info <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "samikeijonen", "product": "EDD Download Info", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T20:33:14.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0290595-d74d-404e-9d28-75abc9055031?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/edd-download-info/trunk/includes/shortcodes.php#L43"}, {"url": "https://plugins.trac.wordpress.org/browser/edd-download-info/tags/1.1/includes/shortcodes.php#L43"}], "descriptions": [{"lang": "en", "value": "The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edd_download_info_link' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:34.414Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14121", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:19:34.414Z", "dateReserved": "2025-12-05T16:24:30.793Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T09:21:03.432Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edd_download_info_link' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin EDD Download Info para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del shortcode 'edd_download_info_link' en todas las versiones hasta la 1.1, inclusive, debido a la sanitizaci\u00f3n insuficiente de la entrada y al escape de salida en atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-14121", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:53.003", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/edd-download-info/tags/1.1/includes/shortcodes.php#L43"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/edd-download-info/trunk/includes/shortcodes.php#L43"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0290595-d74d-404e-9d28-75abc9055031?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:15:33.943751+00:00", "value": {"mitigation_remediation": ["Upgrade the EDD Download Info plugin to a version newer than 1.1 when a patched release is available. ", "Enforce strict input validation and output escaping for the edd_download_info_link shortcode attributes, or disable the shortcode if it is not required for site functionality. ", "Deploy a site\u2011wide Content Security Policy that restricts inline script execution, thereby mitigating the impact of any residual XSS payloads."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting caused by insufficient sanitization of shortcode attributes"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the EDD Download Info plugin by samikeijonen. All releases up to and including version 1.1 are impacted. No specific subcomponents are mentioned beyond the problematic shortcode attributes.", "description_and_impact": "The EDD Download Info plugin for WordPress is vulnerable to stored cross\u2011site scripting through the edd_download_info_link shortcode. Input supplied by authenticated users with contributor\u2011level access is not properly sanitized or escaped, allowing these users to embed malicious scripts that run whenever a page containing the injected content is viewed. This flaw can lead to compromise of confidential user data or execution of arbitrary code in the context of the website.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity problem, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Because the attack requires authenticated access at the contributor level or higher, the exposure is limited to users granted those permissions. An attacker could create or modify download entries to inject scripts that execute whenever other site visitors view the affected page, leading to session hijacking, defacement, or credential theft."}}}}, "created": "2026-01-08T09:49:57.583249+00:00", "updated": "2026-04-20T21:30:18.561119+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}