{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6039", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-12T20:15:19.679Z", "datePublished": "2025-07-04T01:44:06.031Z", "dateUpdated": "2026-04-08T17:34:52.148Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:52.148Z"}, "affected": [{"vendor": "cageehv", "product": "ProcessingJS for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ProcessingJS for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pjs4wp' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "ProcessingJS for WordPress <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fcda8a7a-40e3-416e-940a-ba0245dcaa7d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/processingjs-for-wp/trunk/processingjs-for-wp.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-07-03T12:18:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-07T14:38:37.685211Z", "id": "CVE-2025-6039", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-07T15:01:56.876Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6039", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-07T14:38:37.685211Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-07T14:40:56.493Z"}}], "cna": {"title": "ProcessingJS for WordPress <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "cageehv", "product": "ProcessingJS for WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-03T12:18:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fcda8a7a-40e3-416e-940a-ba0245dcaa7d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/processingjs-for-wp/trunk/processingjs-for-wp.php"}], "descriptions": [{"lang": "en", "value": "The ProcessingJS for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pjs4wp' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:52.148Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6039", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:52.148Z", "dateReserved": "2025-06-12T20:15:19.679Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-04T01:44:06.031Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ProcessingJS for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pjs4wp' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento ProcessingJS para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del shortcode 'pjs4wp' en todas las versiones hasta la 1.2.2 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-6039", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-04T03:15:21.910", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/processingjs-for-wp/trunk/processingjs-for-wp.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fcda8a7a-40e3-416e-940a-ba0245dcaa7d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:23:53.317682+00:00", "value": {"mitigation_remediation": ["Update the ProcessingJS for WordPress plugin to the latest version (\u2265 1.2.3) that addresses the XSS flaw", "Disable or remove the \u2018pjs4wp\u2019 shortcode from existing pages to eliminate the stored code injection vector", "Restrict contributor\u2011level access or review role permissions so that only trusted users can use the shortcode"], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress users running the ProcessingJS for WordPress plugin from cageehv are affected. All released versions up to and including 1.2.2 are vulnerable; versions newer than 1.2.2 contain the fix.", "description_and_impact": "For the ProcessingJS for WordPress plugin, a vulnerability allows authenticated attackers with contributor\u2011level or higher privileges to embed malicious scripts into pages through the \u2018pjs4wp\u2019 shortcode. This flaw arises from insufficient sanitization of user supplied attributes and lack of proper output escaping, giving attackers the ability to store arbitrary JavaScript that executes whenever any visitor loads the affected page. The impact is primarily client\u2011side compromise, including credential theft, session hijacking, or defacement of the site.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity vulnerability. EPA on the low EPSS score of less than 1% suggests that real\u2011world exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. However, the requirement of contributor or superior access means that any user who gains such permissions can inject harmful code that would persist across all site visitors, making this a significant risk when access control is insufficient or roles are overly permissive."}}}}, "created": "2026-04-20T22:30:19.872081+00:00", "updated": "2026-04-20T22:30:19.872092+00:00", "vendors": []}