{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67986", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:33.670Z", "datePublished": "2025-12-16T08:12:58.951Z", "dateUpdated": "2026-04-28T16:14:25.294Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "document-library-lite", "product": "Document Library Lite", "vendor": "Barn2 Plugins", "versions": [{"changes": [{"at": "1.2.0", "status": "unaffected"}], "lessThanOrEqual": "1.1.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Dr. M Fahad Khan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:23:49.655Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.<p>This issue affects Document Library Lite: from n/a through <= 1.1.7.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.This issue affects Document Library Lite: from n/a through <= 1.1.7."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:25.294Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/document-library-lite/vulnerability/wordpress-document-library-lite-plugin-1-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Document Library Lite plugin <= 1.1.7 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-16T16:12:21.163199Z", "id": "CVE-2025-67986", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:09:59.678Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67986", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-16T16:12:21.163199Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T16:12:48.971Z"}}], "cna": {"title": "WordPress Document Library Lite plugin <= 1.1.7 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Dr. M Fahad Khan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Barn2 Plugins", "product": "Document Library Lite", "versions": [{"status": "affected", "changes": [{"at": "1.2.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1.7"}], "packageName": "document-library-lite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:23:49.655Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/document-library-lite/vulnerability/wordpress-document-library-lite-plugin-1-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.This issue affects Document Library Lite: from n/a through <= 1.1.7.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.<p>This issue affects Document Library Lite: from n/a through <= 1.1.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:25.294Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67986", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:25.294Z", "dateReserved": "2025-12-15T10:00:33.670Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-16T08:12:58.951Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.This issue affects Document Library Lite: from n/a through <= 1.1.7."}], "id": "CVE-2025-67986", "lastModified": "2026-04-27T18:16:52.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2025-12-16T09:16:00.507", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/document-library-lite/vulnerability/wordpress-document-library-lite-plugin-1-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:14:08.094491+00:00", "value": {"mitigation_remediation": ["Upgrade the Document Library Lite plugin to a version newer than 1.1.7 once an update is available.", "If an update cannot be applied immediately, disable or remove the plugin to prevent the vulnerability from being exploitable.", "Implement a site\u2011wide Content Security Policy that restricts inline script execution to reduce the impact of any residual XSS payloads."], "summary": {"action": "Patch Now", "impact": "DOM\u2011based cross\u2011site scripting (XSS) that can allow attackers to execute arbitrary JavaScript in the context of affected users."}, "threat_synthesis": {"affected_systems": "Barn2 Plugins Document Library Lite several WordPress sites that use the plugin version 1.1.7 or older. The CWE identified for this issue is CWE-79, representing a cross\u2011site scripting weakness.", "description_and_impact": "The vulnerability arises from improper neutralization of user\u2011supplied input during web page generation in the Barn2 Plugins Document Library Lite plugin, which leads to a DOM\u2011based XSS condition. An attacker can inject malicious scripts that execute in the browsers of users who view pages rendered by the plugin, potentially enabling session hijacking, defacement, or data theft. The description indicates a scripting flaw, but no explicit statement about mitigation by standard sanitization is provided. The likely attack vector is an exploitable input field or URL parameter processed by the plugin, though the exact vector is not explicitly stated.", "risk_and_exploitability": "The CVSS score is 5.9, indicating moderate severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation at the present time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to provide crafted input to the plugin; successful exploitation would allow the attacker to inject and run arbitrary JavaScript in the victim\u2019s browser, leading to potential credential compromise or defacement."}}}}, "created": "2025-12-16T17:09:01.566444+00:00", "updated": "2026-04-28T10:15:28.864794+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}