{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1529", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-20T23:25:35.481Z", "datePublished": "2025-05-01T11:11:40.903Z", "dateUpdated": "2026-04-08T16:35:39.344Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:39.344Z"}, "affected": [{"vendor": "johanaarstein", "product": "AM LottiePlayer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded lottie files in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "AM LottiePlayer <= 3.5.3 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Lottie File", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f44fcc8-c5e0-44f5-92c3-6603b19a06fe?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3278523/am-lottieplayer"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}], "timeline": [{"time": "2025-02-21T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-04-30T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-01T13:53:36.092875Z", "id": "CVE-2025-1529", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-01T13:59:01.687Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1529", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-01T13:53:36.092875Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-01T13:58:03.460Z"}}], "cna": {"title": "AM LottiePlayer <= 3.5.3 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Lottie File", "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "johanaarstein", "product": "AM LottiePlayer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.5.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-21T00:00:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-04-30T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f44fcc8-c5e0-44f5-92c3-6603b19a06fe?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3278523/am-lottieplayer"}], "descriptions": [{"lang": "en", "value": "The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded lottie files in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:39.344Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1529", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:35:39.344Z", "dateReserved": "2025-02-20T23:25:35.481Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-01T11:11:40.903Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded lottie files in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento AM LottiePlayer para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de archivos Lottie subidos en todas las versiones hasta la 3.5.3 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de autor o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-1529", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-01T12:15:16.093", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3278523/am-lottieplayer"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f44fcc8-c5e0-44f5-92c3-6603b19a06fe?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T02:04:39.042781+00:00", "value": {"mitigation_remediation": ["Check for an official update from the plugin author and apply it if available", "If an update is unavailable, immediately deactivate or remove the AM LottiePlayer plugin from your WordPress site", "Restrict the Author role to the minimum required privileges and prevent lottie file uploads from that role", "Consider applying a web application firewall rule to detect and block script fragments in uploaded lottie files"], "summary": {"action": "Apply Update", "impact": "Stored Cross\u2011Site Scripting (XSS) that can be triggered by authenticated authors or higher who upload lottie files, leading to arbitrary script execution in other users' browsers"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the AM LottiePlayer plugin provided by johanaarstein in all releases up to and including version 3.5.3. Any WordPress installation running one of these versions is potentially affected.", "description_and_impact": "The AM LottiePlayer plugin for WordPress is vulnerable to stored cross\u2011site scripting because uploaded lottie files are not properly sanitized or escaped. Authenticated authors or higher can embed arbitrary JavaScript into a lottie file, and the code will execute in the browsers of any user who views a page rendering that file. This could be used for session hijacking, credential theft, or malicious redirection.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of < 1% suggests a low probability of active exploitation at this time. The vulnerability is not listed in CISA KEV. Exploitation requires an authenticated user with Author or higher privileges to upload a malicious lottie file, after which any user who view the affected page will have their browser compromised. The attack vector is likely an authenticated file upload rather than an unauthenticated remote request."}}}}, "created": "2025-07-12T15:26:25.743178+00:00", "updated": "2026-04-28T02:15:18.700447+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}