{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4216", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-02T12:53:43.180Z", "datePublished": "2025-06-14T08:23:22.614Z", "dateUpdated": "2026-04-08T16:40:31.391Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:31.391Z"}, "affected": [{"vendor": "scada", "product": "DIOT SCADA with MQTT", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "DIOT SCADA with MQTT <= 1.0.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1cf23d79-5bd3-4224-835d-174653ddd504?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ecava-diot-scada/trunk/includes/shortcodes.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-06-13T19:42:24.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-16T16:46:05.363497Z", "id": "CVE-2025-4216", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T18:39:45.364Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4216", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-16T16:46:05.363497Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-16T16:47:18.734Z"}}], "cna": {"title": "DIOT SCADA with MQTT <= 1.0.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "scada", "product": "DIOT SCADA with MQTT", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.5.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-13T19:42:24.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1cf23d79-5bd3-4224-835d-174653ddd504?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ecava-diot-scada/trunk/includes/shortcodes.php"}], "descriptions": [{"lang": "en", "value": "The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:31.391Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4216", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:40:31.391Z", "dateReserved": "2025-05-02T12:53:43.180Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-14T08:23:22.614Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento DIOT SCADA con MQTT para WordPress es vulnerable a cross-site-scripting almacenado a trav\u00e9s del shortcode \"diot\" del complemento en todas las versiones hasta la 1.0.5.1 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-4216", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-14T09:15:23.160", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ecava-diot-scada/trunk/includes/shortcodes.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1cf23d79-5bd3-4224-835d-174653ddd504?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T01:26:19.595289+00:00", "value": {"mitigation_remediation": ["Upgrade the DIOT SCADA with MQTT WordPress plugin to a version newer than 1.0.5.1 to eliminate the unescaped attribute handling.", "If an upgrade is not immediately possible, remove or disable the 'diot' shortcode so no further script injection can occur.", "Reduce the scope of contributor accounts by limiting their permissions to content that does not use the vulnerable shortcode, or consider disabling contributor access until the issue is patched."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any installation of the DIOT SCADA with MQTT plugin for WordPress that is running version 1.0.5.1 or earlier is affected. This includes all WordPress sites that have the plugin installed and have not upgraded beyond the stated version.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw that occurs when the DIOT SCADA with MQTT WordPress plugin\u2019s 'diot' shortcode accepts unescaped user input. It is a typical CWE\u201179 problem where insufficient input sanitization allows malicious scripts to be saved in the database and run in a user\u2019s browser. An attacker could inject JavaScript that executes whenever a page containing the injected content is viewed, potentially hijacking user sessions, exfiltrating data, or modifying page content.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4 and an EPSS score of less than 1\u202f%, indicating a moderate severity but a low probability of exploitation. It is not listed in the CISA KEV catalog. The attack requires an authenticated account with contributor rights or higher privileges, which are typically available to regular content editors. Once the malicious content is injected, every user who views the page will execute the injected scripts, providing an opportunity for widespread impact across the site\u2019s user base."}}}}, "created": "2026-04-28T01:30:17.924957+00:00", "updated": "2026-04-28T01:30:17.924994+00:00", "vendors": []}