{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2579", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-20T21:50:58.351Z", "datePublished": "2025-04-24T08:23:50.232Z", "dateUpdated": "2026-04-08T17:17:47.717Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:47.717Z"}, "affected": [{"vendor": "bplugins", "product": "Lottie Player \u2013 Add Interactive Lottie Animations with Block Support", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file."}], "title": "Lottie Player <= 1.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b85b314d-a155-4cec-95c9-0db4b9d8e59b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/embed-lottie-player/tags/1.1.8/plugin.php#L82"}, {"url": "https://plugins.trac.wordpress.org/browser/embed-lottie-player/tags/1.1.8/plugin.php#L130"}, {"url": "https://wordpress.org/plugins/embed-lottie-player/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/embed-lottie-player/tags/1.2.0/plugin.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}], "timeline": [{"time": "2025-04-23T19:57:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-24T13:54:04.259607Z", "id": "CVE-2025-2579", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-24T13:54:32.582Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2579", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-24T13:54:04.259607Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-24T13:54:16.723Z"}}], "cna": {"title": "Lottie Player <= 1.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bplugins", "product": "Lottie Player \u2013 Add Interactive Lottie Animations with Block Support", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-23T19:57:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b85b314d-a155-4cec-95c9-0db4b9d8e59b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/embed-lottie-player/tags/1.1.8/plugin.php#L82"}, {"url": "https://plugins.trac.wordpress.org/browser/embed-lottie-player/tags/1.1.8/plugin.php#L130"}, {"url": "https://wordpress.org/plugins/embed-lottie-player/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/embed-lottie-player/tags/1.2.0/plugin.php"}], "descriptions": [{"lang": "en", "value": "The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:47.717Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2579", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:47.717Z", "dateReserved": "2025-03-20T21:50:58.351Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-24T08:23:50.232Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file."}, {"lang": "es", "value": "El complemento Lottie Player para WordPress es vulnerable a Cross-Site Scripting almacenado al subir archivos en todas las versiones hasta la 1.1.8 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de autor o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario al archivo subido."}], "id": "CVE-2025-2579", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-24T09:15:30.317", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/embed-lottie-player/tags/1.1.8/plugin.php#L130"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/embed-lottie-player/tags/1.1.8/plugin.php#L82"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/embed-lottie-player/tags/1.2.0/plugin.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/embed-lottie-player/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b85b314d-a155-4cec-95c9-0db4b9d8e59b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:10:33.704027+00:00", "value": {"mitigation_remediation": ["Upgrade Lottie Player to version 1.2.0 or newer, which removes the stored XSS flaw.", "Restrict file upload permissions to administrators only or otherwise limit Author\u2011level upload capabilities.", "If an immediate upgrade is not possible, apply a temporary filter that strips script tags and other executable content from uploaded animation files before rendering."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "All installations of the Lottie Player \u2013 Add Interactive Lottie Animations with Block Support plugin up to and including version 1.1.8 are affected. Site owners who have not upgraded past this version are at risk.", "description_and_impact": "The Lottie Player plugin for WordPress allows authenticated users with Author-level or higher privileges to upload files. These files are not sanitized or escaped, enabling an attacker to embed malicious JavaScript that runs in the browsers of anyone who views the file. The vulnerability stems from insufficient input validation while processing file uploads, resulting in a stored XSS flaw.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium\u2011to\u2011high risk, while the EPSS score of <\u202f1% suggests a low likelihood of real\u2011world exploitation at present. The flaw is not listed in the CISA KEV catalog. Exploitation requires legitimate credentials with Author or greater access and the ability to upload a malicious animation file; once stored, any site visitor who accesses the file triggers the injected script."}}}}, "created": "2026-04-21T21:15:45.449854+00:00", "updated": "2026-04-21T21:15:45.449864+00:00", "vendors": []}