{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5082", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-22T08:37:13.219Z", "datePublished": "2025-05-28T07:23:57.358Z", "dateUpdated": "2026-04-08T17:19:00.843Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:00.843Z"}, "affected": [{"vendor": "milmor", "product": "WP Attachments", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018attachment_id\u2019 parameter in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "WP Attachments <= 5.0.12 - Reflected Cross-Site Scripting via attachment_id Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdc33ecc-da54-4852-8426-bfafe0dca41b?source=cve"}, {"url": "https://wordpress.org/plugins/wp-attachments/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-attachments/tags/5.0.12/inc/html/attachmentEditIframe.php"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-attachments/tags/5.0.12/inc/ij-post-attachments.php#L274"}, {"url": "https://plugins.trac.wordpress.org/changeset/3300269/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Antonio Francesco Sardella"}], "timeline": [{"time": "2025-05-27T19:16:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-28T14:30:55.317445Z", "id": "CVE-2025-5082", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-28T14:37:40.915Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5082", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-28T14:30:55.317445Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-28T14:32:55.173Z"}}], "cna": {"title": "WP Attachments <= 5.0.12 - Reflected Cross-Site Scripting via attachment_id Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Antonio Francesco Sardella"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "milmor", "product": "WP Attachments", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0.12"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-27T19:16:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdc33ecc-da54-4852-8426-bfafe0dca41b?source=cve"}, {"url": "https://wordpress.org/plugins/wp-attachments/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-attachments/tags/5.0.12/inc/html/attachmentEditIframe.php"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-attachments/tags/5.0.12/inc/ij-post-attachments.php#L274"}, {"url": "https://plugins.trac.wordpress.org/changeset/3300269/"}], "descriptions": [{"lang": "en", "value": "The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018attachment_id\u2019 parameter in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:00.843Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5082", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:19:00.843Z", "dateReserved": "2025-05-22T08:37:13.219Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-28T07:23:57.358Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018attachment_id\u2019 parameter in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento WP Attachments para WordPress es vulnerable a ataques Cross-Site Scripting Reflejado a trav\u00e9s del par\u00e1metro 'attachment_id' en todas las versiones hasta la 5.0.12 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar al usuario para que realice una acci\u00f3n, como hacer clic en un enlace."}], "id": "CVE-2025-5082", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-28T08:15:23.227", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-attachments/tags/5.0.12/inc/html/attachmentEditIframe.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-attachments/tags/5.0.12/inc/ij-post-attachments.php#L274"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3300269/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wp-attachments/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdc33ecc-da54-4852-8426-bfafe0dca41b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:37:21.715389+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Attachments plugin to the newest available release, which is expected to contain a fix for the attachment_id XSS issue.", "If an upgrade is not possible, review any custom code that accesses the attachment_id parameter and modify it to use WordPress escaping functions such as esc_attr() or esc_html() before rendering.", "Implement a web application firewall or input sanitization rule to block or escape JavaScript payloads that might be included in the attachment_id query string before the content is sent to the browser."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is the WP Attachments plugin from milmor. All releases up to and including version 5.0.12 are impacted. No other vendors are mentioned in the data.", "description_and_impact": "The WP Attachments plugin for WordPress is vulnerable in all versions up to 5.0.12 because the attachment_id parameter is not properly sanitized or escaped, which allows unauthenticated attackers to inject JavaScript that is reflected in the page. This reflected cross\u2011site scripting can execute malicious scripts in a victim's browser when a crafted link containing the vulnerable parameter is opened, potentially allowing an attacker to run arbitrary code within the context of the site.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. The EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, meaning it has not been widely exploited. Based on the description, the likely attack vector is unauthenticated via a malicious URL that includes an unsanitized attachment_id parameter, which triggers the script when the victim follows the link."}}}}, "created": "2026-04-21T20:45:25.977318+00:00", "updated": "2026-04-21T20:45:25.977329+00:00", "vendors": []}