{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4219", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-02T12:57:08.194Z", "datePublished": "2025-05-21T09:21:52.216Z", "dateUpdated": "2026-04-08T17:23:53.860Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:53.860Z"}, "affected": [{"vendor": "darkyudex", "product": "DPEPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The DPEPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dpe' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "DPEPress <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ccd273dc-9de3-4863-a787-db653f2003ca?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dpepress/trunk/dpepress.php#L72"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-05-20T20:34:26.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-21T10:11:32.016906Z", "id": "CVE-2025-4219", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-21T10:16:20.515Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4219", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-21T10:11:32.016906Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-21T10:11:33.851Z"}}], "cna": {"title": "DPEPress <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "darkyudex", "product": "DPEPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-20T20:34:26.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ccd273dc-9de3-4863-a787-db653f2003ca?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dpepress/trunk/dpepress.php#L72"}], "descriptions": [{"lang": "en", "value": "The DPEPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dpe' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:53.860Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4219", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:23:53.860Z", "dateReserved": "2025-05-02T12:57:08.194Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-21T09:21:52.216Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The DPEPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dpe' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento DPEPress para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del shortcode 'dpe' del complemento en todas las versiones hasta la 0.3 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-4219", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-21T12:16:22.930", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dpepress/trunk/dpepress.php#L72"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ccd273dc-9de3-4863-a787-db653f2003ca?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:48:33.858116+00:00", "value": {"mitigation_remediation": ["Update the DPEPress plugin to the latest available version that removes the vulnerability.", "Disable or remove the \u2019dpe\u2019 shortcode from all posts and pages if an upgrade is not immediately possible.", "Aim to restrict contributor-level users from adding plugin shortcodes or consider revoking their capability until a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is the DPEPress WordPress plugin by darkyudex, specifically all releases through 0.3. Any WordPress site that has this plugin installed and whose moderator or contributor users can add the \u2019dpe\u2019 shortcode is at risk.", "description_and_impact": "The DPEPress plugin for WordPress, versions up to 0.3, allows authenticated users with contributor-level or higher rights to submit content that is inserted into the plugin\u2019s \u2019dpe\u2019 shortcode without proper sanitization or escaping. The input fields for shortcode attributes can thus contain arbitrary JavaScript, which is stored in the database and rendered when any site visitor loads a page containing the shortcode. This stored cross\u2011site scripting (CWE\u201179) can lead to session hijacking, cookie theft, or defacement of the site. The vulnerability is limited to users who can create or edit content with the plugin and does not depend on an untrusted external request.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates a medium severity. The EPSS score is less than 1%, implying a very low likelihood of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with contributor or higher privileges, and then any site visitor will execute the injected script. While the attack vector is internal (authenticated role), the resulting script runs in the context of any visitor\u2019s browser, potentially compromising their credentials or defacing content."}}}}, "created": "2026-04-20T23:00:14.117583+00:00", "updated": "2026-04-20T23:00:14.117596+00:00", "vendors": []}