{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3432", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-07T19:48:39.838Z", "datePublished": "2025-04-08T08:22:08.355Z", "dateUpdated": "2026-04-08T16:42:47.217Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:47.217Z"}, "affected": [{"vendor": "elpix", "product": "AAWP Obfuscator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AAWP Obfuscator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-aawp-web' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "AAWEP Obfuscator <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26b1b899-37a2-44fd-b961-5e6175e0417f?source=cve"}, {"url": "https://wordpress.org/plugins/aawp-obfuscator/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Pierre Rudloff"}], "timeline": [{"time": "2025-04-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-08T13:19:11.774407Z", "id": "CVE-2025-3432", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T13:19:32.767Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3432", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-08T13:19:11.774407Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T13:19:21.467Z"}}], "cna": {"title": "AAWEP Obfuscator <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Pierre Rudloff"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "elpix", "product": "AAWP Obfuscator", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-07T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26b1b899-37a2-44fd-b961-5e6175e0417f?source=cve"}, {"url": "https://wordpress.org/plugins/aawp-obfuscator/"}], "descriptions": [{"lang": "en", "value": "The AAWP Obfuscator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-aawp-web' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:47.217Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3432", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:42:47.217Z", "dateReserved": "2025-04-07T19:48:39.838Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-08T08:22:08.355Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AAWP Obfuscator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-aawp-web' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento AAWP Obfuscator para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'data-aawp-web' en todas las versiones hasta la 1.0 incluida, debido a una depuraci\u00f3n de entrada y al escape de salida insuficiente. Esto permite a atacantes autenticados, con acceso de autor o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-3432", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-08T09:15:28.630", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/aawp-obfuscator/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26b1b899-37a2-44fd-b961-5e6175e0417f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:35:17.123050+00:00", "value": {"mitigation_remediation": ["Upgrade the AAWP Obfuscator plugin to the latest release, which removes the insecure data-aawp-web handling.", "Restrict Author\u2011level permissions to only trusted individuals and consider demoting or disabling the role if it is not required.", "Implement a web\u2011application firewall or server\u2011side sanitization rule that blocks or escapes JavaScript code submitted through the data-aawp-web parameter until a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via author\u2011level input"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the elpix AAWP Obfuscator plugin installed in any version up to and including 1.0 are affected. The vulnerability exists in all these releases regardless of configuration. Site administrators should verify whether the plugin is present and at which version.", "description_and_impact": "The AAWP Obfuscator plugin can store malicious scripts in the data-aawp-web field because the input is not sanitized or escaped. When a user views the affected page, the unsanitized script runs in that user\u2019s browser, giving the attacker the ability to steal session cookies, deface content, or perform phishing attacks. The flaw is limited to authenticated accounts that have Author or higher privileges, but many WordPress installations grant these roles widely.", "risk_and_exploitability": "The CVSS score of 6.4 reflects a moderate damage potential and an attack path that requires prior authentication. The EPSS score of less than 1\u2009% indicates the exploitation probability is currently low, and the vulnerability is not listed in CISA\u2019s KEV catalog. Nevertheless, because the flaw allows persistent arbitrary JavaScript execution, any attacker who gains or already possesses Author\u2011level credentials can compromise other user sessions or deface the site. The risk remains high for sites that expose the data-aawp-web parameter to content editors without additional filtering."}}}}, "created": "2025-07-12T22:44:53.904851+00:00", "updated": "2026-04-22T17:45:22.919930+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}