{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1794", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-28T18:43:27.517Z", "datePublished": "2026-04-08T06:43:43.700Z", "dateUpdated": "2026-04-08T17:31:54.482Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:54.482Z"}, "affected": [{"vendor": "johanaarstein", "product": "AM LottiePlayer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "AM LottiePlayer <= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef2f1ad1-1e2e-4b56-b16c-d87956b142ad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/am-lottieplayer/tags/3.5.0/includes/upload-thumbnail.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Alex Thomas"}], "timeline": [{"time": "2025-02-28T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T17:38:28.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:47:23.763614Z", "id": "CVE-2025-1794", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:13:53.072Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1794", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:47:23.763614Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:47:24.759Z"}}], "cna": {"title": "AM LottiePlayer <= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG", "credits": [{"lang": "en", "type": "finder", "value": "Alex Thomas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "johanaarstein", "product": "AM LottiePlayer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.6.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-28T00:00:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T17:38:28.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef2f1ad1-1e2e-4b56-b16c-d87956b142ad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/am-lottieplayer/tags/3.5.0/includes/upload-thumbnail.php"}], "descriptions": [{"lang": "en", "value": "The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:54.482Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1794", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:31:54.482Z", "dateReserved": "2025-02-28T18:43:27.517Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T06:43:43.700Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-1794", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T07:16:19.643", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/am-lottieplayer/tags/3.5.0/includes/upload-thumbnail.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef2f1ad1-1e2e-4b56-b16c-d87956b142ad?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "AM LottiePlayer", "source": "cna", "vendor": "johanaarstein"}, "product": "am_lottieplayer", "vendor": "johanaarstein"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T08:50:42.551926+00:00", "value": {"mitigation_remediation": ["Update AM LottiePlayer to the latest version (3.6.1 or newer) to eliminate the SVG sanitization issue.", "If an update cannot be performed immediately, remove the ability for Author\u2011level users to upload SVG files or disable the upload feature entirely.", "Search the uploads directory for any SVG files that may contain malicious content and delete or sanitize them.", "Review site content for injected scripts and remove any that are found.", "Ensure that WordPress core and other plugins are current, restrict user roles appropriately, and consider deploying a web application firewall to block XSS payloads."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw is present in all releases of AM LottiePlayer up to and including version 3.6.0. WordPress sites that have this plugin installed and permit Author\u2011level users to upload SVG files are impacted. Any site that has not upgraded beyond 3.6.0 should be inspected for the presence of the plugin and the uploaded SVG content.", "description_and_impact": "The AM LottiePlayer plugin for WordPress allows users with Author or higher roles to upload SVG files. The plugin does not sanitize or escape the content of those SVG files, which leads to stored cross\u2011site scripting. A malicious actor can embed JavaScript within the SVG, and the script will execute in the browsers of visitors who view the affected page, allowing the attacker to run arbitrary scripts on the site.", "risk_and_exploitability": "The CVSS base score of 5.4 indicates a moderate severity vulnerability. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower current exploitation likelihood. Nonetheless, the requirement for an authenticated Author or higher user to upload an SVG is a realistic scenario in many collaborative WordPress environments. Once exploited, the injected script runs for every visitor to the affected page, providing a persistent attack surface. The exploitation path is straightforward: an authenticated user uploads a crafted SVG through the plugin\u2019s interface."}}}}, "created": "2026-04-08T19:31:00.161516+00:00", "updated": "2026-04-08T19:43:31.532285+00:00", "vendors": ["johanaarstein", "johanaarstein$PRODUCT$am_lottieplayer", "wordpress", "wordpress$PRODUCT$wordpress"]}