{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7655", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-14T17:46:45.530Z", "datePublished": "2025-07-19T02:22:56.974Z", "dateUpdated": "2026-04-08T16:41:43.998Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:43.998Z"}, "affected": [{"vendor": "tkrivickas", "product": "Live Stream Badger", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Live Stream Badger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livestream' shortcode in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Live Stream Badger <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22a30301-f409-4c53-84d7-7799fb41c25b?source=cve"}, {"url": "https://plugins.svn.wordpress.org/live-stream-badger/tags/1.4.3/shortcode/class-embedded-stream.php"}, {"url": "https://plugins.svn.wordpress.org/live-stream-badger/tags/1.4.3/view/class-embedded-twitch-view.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-07-18T14:12:10.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-21T15:20:08.336996Z", "id": "CVE-2025-7655", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-21T15:20:19.870Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7655", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-21T15:20:08.336996Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-21T15:20:15.490Z"}}], "cna": {"title": "Live Stream Badger <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "tkrivickas", "product": "Live Stream Badger", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-18T14:12:10.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22a30301-f409-4c53-84d7-7799fb41c25b?source=cve"}, {"url": "https://plugins.svn.wordpress.org/live-stream-badger/tags/1.4.3/shortcode/class-embedded-stream.php"}, {"url": "https://plugins.svn.wordpress.org/live-stream-badger/tags/1.4.3/view/class-embedded-twitch-view.php"}], "descriptions": [{"lang": "en", "value": "The Live Stream Badger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livestream' shortcode in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:43.998Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7655", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:41:43.998Z", "dateReserved": "2025-07-14T17:46:45.530Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-19T02:22:56.974Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Live Stream Badger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livestream' shortcode in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Live Stream Badger para WordPress es vulnerable a Cross-Site Scripting (XSS) Almacenado a trav\u00e9s del shortcode \"livestream\" del complemento en todas las versiones hasta la 1.4.3 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-7655", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-19T03:15:23.223", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/live-stream-badger/tags/1.4.3/shortcode/class-embedded-stream.php"}, {"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/live-stream-badger/tags/1.4.3/view/class-embedded-twitch-view.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22a30301-f409-4c53-84d7-7799fb41c25b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:05:12.096515+00:00", "value": {"mitigation_remediation": ["Upgrade the Live Stream Badger plugin to a version newer than 1.4.3, which contains the required input sanitization fix.", "Scan all content that uses the 'livestream' shortcode for embedded scripts that were not part of the original design and remove or neutralize them.", "Restrict or remove contributor\u2011level users\u2019 ability to add or edit the livestream shortcode, or apply stricter server\u2011side validation to prevent malicious attribute values."], "summary": {"action": "Upgrade plugin", "impact": "Stored cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the tkrivickas Live Stream Badger plugin version 1.4.3 or any earlier release are affected. All releases up to and including 1.4.3 contain the flaw.", "description_and_impact": "The Live Stream Badger plugin allows authenticated users with contributor\u2011level permissions or higher to insert arbitrary web scripts into the 'livestream' shortcode via unsanitized attributes. Those scripts are stored and will execute in the browsers of any site visitor who loads a page containing the injected shortcode. The exploit does not grant direct code execution on the server, but it can compromise the integrity of visited pages and potentially affect user session data or other client\u2011side resources as the attacker controls the injected script.", "risk_and_exploitability": "The CVSS score of 6.4 classifies the issue as moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation under current conditions. The vulnerability is not included in the CISA KEV catalog. Attackers must be authenticated and possess at least contributor-level privileges to insert malicious attributes, after which the injected scripts run in any user\u2019s browser that views the affected page."}}}}, "created": "2026-04-22T17:15:22.194255+00:00", "updated": "2026-04-22T17:15:22.194273+00:00", "vendors": []}