{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5083", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-22T08:46:01.922Z", "datePublished": "2025-08-31T04:25:48.840Z", "dateUpdated": "2026-04-08T17:05:04.096Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:04.096Z"}, "affected": [{"vendor": "milmor", "product": "Amministrazione Trasparente", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "9.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Amministrazione Trasparente plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Amministrazione Trasparente <= 9.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via print_r Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8741bbdf-ddd9-41f7-8d22-b9350f2cf659?source=cve"}, {"url": "https://github.com/WPGov/amministrazione-trasparente/blob/31e69c2ef42f36bca0b66d0550794d18292f5a23/settings.php#L49-L50"}, {"url": "https://github.com/WPGov/amministrazione-trasparente/blob/31e69c2ef42f36bca0b66d0550794d18292f5a23/settings.php#L59-L60"}, {"url": "https://wordpress.org/plugins/amministrazione-trasparente/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3352443/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Antonio Francesco Sardella"}], "timeline": [{"time": "2025-07-17T08:23:27.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-30T16:22:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-02T20:45:08.497101Z", "id": "CVE-2025-5083", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-02T20:45:21.159Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5083", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-02T20:45:08.497101Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-02T20:45:14.988Z"}}], "cna": {"title": "Amministrazione Trasparente <= 9.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via print_r Function", "credits": [{"lang": "en", "type": "finder", "value": "Antonio Francesco Sardella"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "milmor", "product": "Amministrazione Trasparente", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "9.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-17T08:23:27.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-30T16:22:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8741bbdf-ddd9-41f7-8d22-b9350f2cf659?source=cve"}, {"url": "https://github.com/WPGov/amministrazione-trasparente/blob/31e69c2ef42f36bca0b66d0550794d18292f5a23/settings.php#L49-L50"}, {"url": "https://github.com/WPGov/amministrazione-trasparente/blob/31e69c2ef42f36bca0b66d0550794d18292f5a23/settings.php#L59-L60"}, {"url": "https://wordpress.org/plugins/amministrazione-trasparente/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3352443/"}], "descriptions": [{"lang": "en", "value": "The Amministrazione Trasparente plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:04.096Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5083", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:05:04.096Z", "dateReserved": "2025-05-22T08:46:01.922Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-31T04:25:48.840Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Amministrazione Trasparente plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-5083", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-31T05:15:32.410", "references": [{"source": "security@wordfence.com", "url": "https://github.com/WPGov/amministrazione-trasparente/blob/31e69c2ef42f36bca0b66d0550794d18292f5a23/settings.php#L49-L50"}, {"source": "security@wordfence.com", "url": "https://github.com/WPGov/amministrazione-trasparente/blob/31e69c2ef42f36bca0b66d0550794d18292f5a23/settings.php#L59-L60"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3352443/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/amministrazione-trasparente/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8741bbdf-ddd9-41f7-8d22-b9350f2cf659?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:52:44.908456+00:00", "value": {"mitigation_remediation": ["Update the Amministrazione Trasparente plugin to the latest version (9.1 or later) to remove the vulnerability.", "If an update is not feasible, limit administrator accounts to trusted personnel and disable the unfiltered_html option to reduce the attack surface.", "Scan the plugin\u2019s settings options for previously injected scripts and delete any malicious entries, or temporarily deactivate the plugin until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting (authenticated admin)"}, "threat_synthesis": {"affected_systems": "Users operating a multi\u2011site WordPress installation that includes milmor\u2019s Amministrazione Trasparente plugin at version 9.0 or earlier, and where the option unfiltered_html is disabled, are vulnerable. The vulnerability applies only to this plugin and is bounded to the installation mentioned; other plugins or WordPress core are not directly affected.", "description_and_impact": "The Amministrazione Trasparente WordPress plugin contains a stored cross\u2011site scripting flaw that permits an attacker with administrator privileges to insert arbitrary JavaScript into plugin settings. Once injected, the malicious script runs in the browsers of any user who views the affected page, enabling session hijacking, credential theft, or defacement. The weakness is rooted in insufficient input sanitization and the omission of explicit output escaping, which is reflected in CWE\u201179. The capability is limited to authenticated users with administrative roles; unauthenticated users cannot trigger it.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation in the near term, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector requires authenticated administrator access; therefore, an attacker must first compromise or compromise credentials for an administrative account. There is no evidence of a public exploit at this time, but the potential for malicious JavaScript rendering raises user\u2011level risk if compromise occurs."}}}}, "created": "2025-09-02T15:23:25.096002+00:00", "updated": "2026-04-22T01:00:04.360842+00:00", "vendors": ["amministrazione_trasparente_project", "amministrazione_trasparente_project$PRODUCT$amministrazione_trasparente", "wordpress", "wordpress$PRODUCT$wordpress"]}