{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5490", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-02T23:14:09.364Z", "datePublished": "2025-06-19T05:26:56.567Z", "dateUpdated": "2026-04-08T16:37:13.743Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:13.743Z"}, "affected": [{"vendor": "antoineh", "product": "Football Pool", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.12.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Football Pool <= 2.12.4 - Authenticated (Administrator+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16a285b1-7a20-455f-8f74-2e468dd436d3?source=cve"}, {"url": "https://wordpress.org/plugins/football-pool/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3313611%40football-pool&new=3313611%40football-pool&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-06-18T16:35:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-20T12:38:17.699359Z", "id": "CVE-2025-5490", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T13:11:51.329Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5490", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-20T12:38:17.699359Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T12:38:18.849Z"}}], "cna": {"title": "Football Pool <= 2.12.4 - Authenticated (Administrator+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "antoineh", "product": "Football Pool", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.12.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-18T16:35:19.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16a285b1-7a20-455f-8f74-2e468dd436d3?source=cve"}, {"url": "https://wordpress.org/plugins/football-pool/#developers"}], "descriptions": [{"lang": "en", "value": "The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-06-19T05:26:56.567Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5490", "state": "PUBLISHED", "dateUpdated": "2025-06-20T13:11:51.329Z", "dateReserved": "2025-06-02T23:14:09.364Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-19T05:26:56.567Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:antoineh:football_pool:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "1D962269-879A-45FC-B781-3674CD4F9855", "versionEndExcluding": "2.12.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}, {"lang": "es", "value": "El complemento Football Pool para WordPress es vulnerable a Cross-site Scripting almacenado a trav\u00e9s de la configuraci\u00f3n de administrador en todas las versiones hasta la 2.12.4 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con permisos de administrador o superiores, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada. Esto solo afecta a instalaciones multisitio y a instalaciones donde se ha deshabilitado unfiltered_html."}], "id": "CVE-2025-5490", "lastModified": "2026-04-08T17:20:48.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-19T06:15:19.347", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3313611%40football-pool&new=3313611%40football-pool&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/football-pool/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16a285b1-7a20-455f-8f74-2e468dd436d3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:15:39.816759+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the Football Pool plugin (2.12.5 or newer) which removes the unsanitized input handling.", "If the plugin cannot be updated immediately, restrict the unfiltered_html capability for administrators in the WordPress network and remove any custom fields that allow raw HTML in the plugin settings.", "Configure a web application firewall to block script tags or other malicious payloads from being stored in the plugin\u2019s configuration fields."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (Stored)"}, "threat_synthesis": {"affected_systems": "All installations of the Football Pool plugin from any version up to and including 2.12.4, for which the WordPress installation is a multi\u2011site network and the unfiltered_html capability is disabled. The affected product is the WordPress plugin Football Pool published by the vendor antoineh.", "description_and_impact": "The Football Pool plugin for WordPress has a stored cross\u2011site scripting flaw that allows any authenticated user with administrative or higher privileges to insert arbitrary JavaScript via the plugin\u2019s admin settings. Because the input is not properly sanitized or escaped, the injected script runs whenever a page containing the stored data is viewed by any user. This can enable session hijacking, credential theft, or defacement of the site. The weakness is a classic input validation failure (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 5.5 indicates a moderate severity. The EPSS score is below 1\u202f%, suggesting that widespread exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. An attacker must first authenticate as an administrator or higher level and then use the plugin\u2019s configuration interface to inject the malicious payload. Once injected, the payload will execute for all users who view the affected page, giving the attacker the same access rights as those users. The likely attack vector is the administrative panel of the plugin, and the condition of a multi\u2011site WordPress environment with unfiltered_html disabled is required for exploitation."}}}}, "created": "2026-04-22T17:30:22.629659+00:00", "updated": "2026-04-22T17:30:22.629689+00:00", "vendors": []}