{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6382", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-19T19:29:21.307Z", "datePublished": "2025-07-24T09:22:20.550Z", "dateUpdated": "2026-04-08T17:21:30.137Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:30.137Z"}, "affected": [{"vendor": "taeggie", "product": "Taeggie Feed", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.1.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's taeggie-feed shortcode in all versions up to, and including, 0.1.10. The plugin\u2019s render() method takes the user-supplied name attribute and injects it directly into a <script> tag - both in the id attribute and inside jQuery.getScript() - without proper escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Taeggie Feed <= 0.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f5ac78-5195-4b59-abc7-f41e487f9361?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/taeggie-feed/trunk/taeggie_feed.php"}, {"url": "https://wordpress.org/plugins/taeggie-feed/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3336357/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-07-23T20:45:47.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-24T13:14:02.416245Z", "id": "CVE-2025-6382", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:14:06.275Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6382", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-24T13:14:02.416245Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:14:04.105Z"}}], "cna": {"title": "Taeggie Feed <= 0.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "taeggie", "product": "Taeggie Feed", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.1.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-23T20:45:47.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f5ac78-5195-4b59-abc7-f41e487f9361?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/taeggie-feed/trunk/taeggie_feed.php"}, {"url": "https://wordpress.org/plugins/taeggie-feed/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3336357/"}], "descriptions": [{"lang": "en", "value": "The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's taeggie-feed shortcode in all versions up to, and including, 0.1.10. The plugin\u2019s render() method takes the user-supplied name attribute and injects it directly into a <script> tag - both in the id attribute and inside jQuery.getScript() - without proper escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:30.137Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6382", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:30.137Z", "dateReserved": "2025-06-19T19:29:21.307Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-24T09:22:20.550Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's taeggie-feed shortcode in all versions up to, and including, 0.1.10. The plugin\u2019s render() method takes the user-supplied name attribute and injects it directly into a <script> tag - both in the id attribute and inside jQuery.getScript() - without proper escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Taeggie Feed para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del shortcode taeggie-feed del complemento en todas las versiones hasta la 0.1.10 incluida. El m\u00e9todo render() del complemento toma el atributo name proporcionado por el usuario y lo inyecta directamente en una etiqueta "}], "id": "CVE-2025-6382", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-24T10:15:27.140", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/taeggie-feed/trunk/taeggie_feed.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3336357/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/taeggie-feed/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f5ac78-5195-4b59-abc7-f41e487f9361?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:08:11.667919+00:00", "value": {"mitigation_remediation": ["Install a corrected version of the Taeggie Feed plugin newer than 0.1.10.", "If an update cannot be applied immediately, remove or disable the taeggie\u2011feed shortcode from all content and restrict contributor or author roles from editing plugin content.", "Patch the plugin code by escaping the name attribute before insertion, using WordPress functions such as esc_js() or esc_attr(), or add a custom filter that sanitizes the value before it is rendered."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "This vulnerability affects all installations of the Taeggie Feed WordPress plugin with version 0.1.10 or earlier. Any site that has not upgraded beyond 0.1.10 may be compromised, regardless of other plugins or themes.", "description_and_impact": "The Taeggie Feed plugin for WordPress is vulnerable to stored cross\u2011site scripting because the plugin\u2019s render() method directly inserts unescaped user\u2011supplied data into a <script> tag. The flaw resides in the taeggie\u2011feed shortcode; the name attribute supplied by the user is used as both an id attribute and a data argument to jQuery.getScript() without any escaping. As a result, an attacker who can supply a crafted name value can embed arbitrary JavaScript that will be saved in the plugin\u2019s content and run whenever a page containing that shortcode is loaded.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, while the EPSS of <\u202f1% suggests a low current exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to be authenticated and have contributor\u2011level rights or higher; after injecting malicious JavaScript, any visitor to a page containing the taeggie\u2011feed shortcode will execute the payload in their browser context."}}}}, "created": "2025-07-24T21:26:43.664394+00:00", "updated": "2026-04-20T22:15:06.192557+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}