{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6537", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-23T14:45:56.712Z", "datePublished": "2025-06-26T02:22:21.320Z", "dateUpdated": "2026-04-08T16:48:12.073Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:12.073Z"}, "affected": [{"vendor": "mdesignfa", "product": "Namasha By Mdesign", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.00", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Namasha By Mdesign plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018playicon_title\u2019 parameter in all versions up to, and including, 1.2.00 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Namasha By Mdesign <= 1.2.00 - Authenticated (Contributor+) Stored Cross-Site Scripting via playicon_title Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f7616d0-7b42-4b2e-8378-18c24c7bf22b?source=cve"}, {"url": "https://wordpress.org/plugins/namasha-by-mdesign/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/namasha-by-mdesign/tags/1.2.05/front/class-core.php?rev=3332973#L56"}, {"url": "https://plugins.trac.wordpress.org/browser/namasha-by-mdesign/tags/1.2.00/front/class-core.php?rev=3332973#L56"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-06-25T14:07:03.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-26T13:23:57.616533Z", "id": "CVE-2025-6537", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T13:24:07.247Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6537", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-26T13:23:57.616533Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T13:24:03.842Z"}}], "cna": {"title": "Namasha By Mdesign <= 1.2.00 - Authenticated (Contributor+) Stored Cross-Site Scripting via playicon_title Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mdesignfa", "product": "Namasha By Mdesign", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.00"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-25T14:07:03.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f7616d0-7b42-4b2e-8378-18c24c7bf22b?source=cve"}, {"url": "https://wordpress.org/plugins/namasha-by-mdesign/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/namasha-by-mdesign/tags/1.2.05/front/class-core.php?rev=3332973#L56"}, {"url": "https://plugins.trac.wordpress.org/browser/namasha-by-mdesign/tags/1.2.00/front/class-core.php?rev=3332973#L56"}], "descriptions": [{"lang": "en", "value": "The Namasha By Mdesign plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018playicon_title\u2019 parameter in all versions up to, and including, 1.2.00 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:12.073Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6537", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:48:12.073Z", "dateReserved": "2025-06-23T14:45:56.712Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-26T02:22:21.320Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mdezign:namasha:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "4E1E3EA4-CDD2-4E5C-8501-2ADEA5428DBA", "versionEndIncluding": "1.2.00", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Namasha By Mdesign plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018playicon_title\u2019 parameter in all versions up to, and including, 1.2.00 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Namasha de Mdesign para WordPress es vulnerable a cross site scripting almacenado a trav\u00e9s del par\u00e1metro 'playicon_title' en todas las versiones hasta la 1.2.00 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-6537", "lastModified": "2026-04-08T18:25:03.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-26T03:15:25.277", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/namasha-by-mdesign/tags/1.2.00/front/class-core.php?rev=3332973#L56"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/namasha-by-mdesign/tags/1.2.05/front/class-core.php?rev=3332973#L56"}, {"source": "security@wordfence.com", "tags": ["Product", "Release Notes"], "url": "https://wordpress.org/plugins/namasha-by-mdesign/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f7616d0-7b42-4b2e-8378-18c24c7bf22b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:06:59.809224+00:00", "value": {"mitigation_remediation": ["Upgrade the Namasha By Mdesign plugin to the latest available version.", "If an upgrade is not immediately possible, remove any playicon_title values that contain user\u2011supplied content and limit Contributor role access until the plugin is patched.", "After applying the patch or removal, perform a site\u2011wide content audit to eliminate any stored malicious scripts and apply password rotation for accounts with Contributor level."], "summary": {"action": "Immediate Upgrade", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the mdezign Namasha By Mdesign plugin, versions 1.2.00 and earlier. The affected plugin is listed as mdesignfa:Namasha By Mdesign in the CNA data and corresponds to the CPE cpe:2.3:a:mdezign:namasha:*:*:*:*:*:wordpress:*:*.", "description_and_impact": "The Namasha By Mdesign WordPress plugin has a stored Cross\u2011Site Scripting flaw caused by insufficient input sanitization and output escaping in the playicon_title parameter. An authenticated attacker with Contributor or higher privileges can inject arbitrary JavaScript that will execute whenever a user views a page containing the injected title, potentially leading to defacement, credential theft or session hijacking. The weakness is a classic input validation problem, classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity, but the EPSS score of less than 1% shows that exploitation of this vulnerability is unlikely at present. The plugin is not included in the CISA KEV catalog, so no known exploitation campaigns have been reported. Attackers would need to log into WordPress with Contributor\u2011level access or higher, then supply a malicious playicon_title value through the plugin\u2019s management interface. From there, the stored payload will be delivered to all users who view the affected page."}}}}, "created": "2025-07-13T21:48:09.000776+00:00", "updated": "2026-04-22T04:15:07.536969+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}