{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4220", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-02T12:58:46.406Z", "datePublished": "2025-05-07T01:43:10.092Z", "dateUpdated": "2026-04-08T17:28:28.047Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:28.047Z"}, "affected": [{"vendor": "xavinnydek", "product": "Xavin&#039;s List Subpages", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Xavin&#039;s List Subpages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xls' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Xavin's List Subpages <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df30f21a-cd3a-4391-9f59-81538fefabdc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/xavins-list-subpages/trunk/xavins-list-subpages.php#L29"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-05-06T13:31:42.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-07T13:21:37.612853Z", "id": "CVE-2025-4220", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T13:21:53.723Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4220", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-07T13:21:37.612853Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T13:21:50.584Z"}}], "cna": {"title": "Xavin's List Subpages <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "xavinnydek", "product": "Xavin&#039;s List Subpages", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-06T13:31:42.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df30f21a-cd3a-4391-9f59-81538fefabdc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/xavins-list-subpages/trunk/xavins-list-subpages.php#L29"}], "descriptions": [{"lang": "en", "value": "The Xavin&#039;s List Subpages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xls' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-05-07T01:43:10.092Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4220", "state": "PUBLISHED", "dateUpdated": "2025-05-07T13:21:53.723Z", "dateReserved": "2025-05-02T12:58:46.406Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-07T01:43:10.092Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Xavin&#039;s List Subpages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xls' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Xavin's List Subpages para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del shortcode 'xls' en todas las versiones hasta la 1.3 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-4220", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-07T03:15:19.197", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/xavins-list-subpages/trunk/xavins-list-subpages.php#L29"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df30f21a-cd3a-4391-9f59-81538fefabdc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:55:06.349450+00:00", "value": {"mitigation_remediation": ["Upgrade Xavin's List Subpages to a version newer than 1.3, which contains proper input sanitization and output escaping for the shortcode attributes.", "If an upgrade is not immediately feasible, deactivate or remove the plugin to block the attack surface.", "Apply the principle of least privilege: limit contributor access to trusted users only and routinely audit role assignments.", "Deploy a Content Security Policy that disallows inline scripts, reducing the impact of potential XSS payloads."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting leading to arbitrary script execution on the site"}, "threat_synthesis": {"affected_systems": "WordPress users running the Xavin's List Subpages plugin, any version up to and including 1.3. The vulnerability is present only for accounts that can add or edit content with contributor or higher privileges. No other plugin versions or other products are listed as affected.", "description_and_impact": "The plugin\u2019s \u2018xls\u2019 shortcode accepts user\u2011supplied attributes without proper sanitization or escaping, allowing an authenticated user with contributor privileges or higher to inject arbitrary JavaScript that will run whenever a page containing the shortcode is viewed. This stored XSS can be used for defacement, cookie theft, or further exploitation of the site\u2019s users.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in CISA KEV. Exploitation requires an authenticated contributor or higher; thus the attack vector is inferred to be internal, via content creation or editing functions. Once injected, the malicious script executes in the context of any visitor, potentially enabling session hijacking or execution of additional payloads."}}}}, "created": "2026-04-20T23:00:14.172707+00:00", "updated": "2026-04-20T23:00:14.172719+00:00", "vendors": []}