{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4170", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-01T12:17:21.705Z", "datePublished": "2025-05-03T01:43:05.396Z", "dateUpdated": "2026-04-08T16:59:07.779Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:07.779Z"}, "affected": [{"vendor": "xavinnydek", "product": "Xavin&#039;s Review Ratings", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Xavin&#039;s Review Ratings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xrr' shortcode in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Xavin's Review Ratings <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c057a98-4a8d-408a-b6a4-3c322bfa0cdf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/xavins-review-ratings/trunk/xavins-review-ratings.php#L293"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-05-02T11:31:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-05T14:40:48.682268Z", "id": "CVE-2025-4170", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T14:58:28.298Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4170", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-05T14:40:48.682268Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T14:40:49.963Z"}}], "cna": {"title": "Xavin's Review Ratings <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "xavinnydek", "product": "Xavin&#039;s Review Ratings", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-02T11:31:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c057a98-4a8d-408a-b6a4-3c322bfa0cdf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/xavins-review-ratings/trunk/xavins-review-ratings.php#L293"}], "descriptions": [{"lang": "en", "value": "The Xavin&#039;s Review Ratings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xrr' shortcode in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:07.779Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4170", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:07.779Z", "dateReserved": "2025-05-01T12:17:21.705Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-03T01:43:05.396Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Xavin&#039;s Review Ratings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xrr' shortcode in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Xavin's Review Ratings para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del shortcode 'xrr' del complemento en todas las versiones hasta la 1.4.0 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-4170", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-03T03:15:28.493", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/xavins-review-ratings/trunk/xavins-review-ratings.php#L293"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c057a98-4a8d-408a-b6a4-3c322bfa0cdf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:35:57.409563+00:00", "value": {"mitigation_remediation": ["Upgrade Xavin's Review Ratings to version 1.4.1 or later, which includes proper input sanitization and output escaping for the xrr shortcode.", "Temporarily disable the plugin or its xrr shortcode while awaiting the patch.", "Remove or restrict contributor-level access until the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the Xavin's Review Ratings plugin for WordPress with version 1.4.0 or earlier are affected. The plugin is available from the WordPress repository and can be found under the vendor name xavinnydek within the WordPress plugin ecosystem.", "description_and_impact": "The vulnerability resides in the xrr shortcode of Xavin's Review Ratings, where user supplied attributes are neither sanitized nor escaped. A contributor or higher user can place script code in these attributes, resulting in stored XSS that will execute in a visitor's browser whenever the content is displayed. This allows an attacker to run arbitrary client\u2011side code, potentially compromising user credentials, hijacking sessions, or defacing the site. The weakness is identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity; the EPSS score of less than 1% reflects a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The required attack conditions include an authenticated WordPress session with at least contributor\u2011level permissions, giving attackers the ability to modify plugin content where the shortcode is used. Once injected, the malicious script runs in the context of any user who visits the impacted page."}}}}, "created": "2026-04-22T01:45:05.620762+00:00", "updated": "2026-04-22T01:45:05.620775+00:00", "vendors": []}