{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8399", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-30T22:51:26.895Z", "datePublished": "2025-08-02T08:24:46.584Z", "dateUpdated": "2026-04-08T16:44:01.444Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:01.444Z"}, "affected": [{"vendor": "mmanifesto", "product": "Mmm Unity Loader", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Mmm Unity Loader plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018attributes\u2019 parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Mmm Unity Loader <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via attributes Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2cee1d75-278c-45c6-915d-60aae6a4d3a2?source=cve"}, {"url": "https://plugins.svn.wordpress.org/mmm-unity-loader/trunk/mmm-unity-loader.php"}, {"url": "https://wordpress.org/plugins/mmm-unity-loader/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-08-01T19:37:38.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-04T13:43:26.523517Z", "id": "CVE-2025-8399", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-04T13:43:32.614Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8399", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-04T13:43:26.523517Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-04T13:43:29.782Z"}}], "cna": {"title": "Mmm Unity Loader <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via attributes Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mmanifesto", "product": "Mmm Unity Loader", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-01T19:37:38.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2cee1d75-278c-45c6-915d-60aae6a4d3a2?source=cve"}, {"url": "https://plugins.svn.wordpress.org/mmm-unity-loader/trunk/mmm-unity-loader.php"}, {"url": "https://wordpress.org/plugins/mmm-unity-loader/#developers"}], "descriptions": [{"lang": "en", "value": "The Mmm Unity Loader plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018attributes\u2019 parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:01.444Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8399", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:44:01.444Z", "dateReserved": "2025-07-30T22:51:26.895Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-02T08:24:46.584Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Mmm Unity Loader plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018attributes\u2019 parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Mmm Unity Loader para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del par\u00e1metro \"attributes\" en todas las versiones hasta la 1.0 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-8399", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-02T09:15:48.340", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/mmm-unity-loader/trunk/mmm-unity-loader.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/mmm-unity-loader/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2cee1d75-278c-45c6-915d-60aae6a4d3a2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:33:01.280547+00:00", "value": {"mitigation_remediation": ["Upgrade the Mmm Unity Loader plugin to the latest version that removes the vulnerable attributes field.", "If an upgrade is not yet available, delete or deactivate the plugin to eliminate the attack surface.", "Restrict or remove Contributor\u2011level access on the WordPress site and audit existing content for injected scripts to prevent malicious code from remaining on live pages"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2013Site Scripting that allows a contributor\u2011level attacker to inject arbitrary scripts into pages and have them executed for any user who views the page"}, "threat_synthesis": {"affected_systems": "All versions of the Mmm Unity Loader WordPress plugin up to and including 1.0, distributed by mmanifesto and listed on the WordPress plugin repository. The issue applies to any WordPress installation that has these plugins installed and permits Contributor\u2011level or higher users to edit content via the plugin\u2019s attributes field.", "description_and_impact": "The vulnerability in the Mmm Unity Loader plugin permits the storage of malicious JavaScript through the attributes parameter. When a page that contains the injected content is viewed, the browser executes the script, which could be used to steal session cookies, deface content, or perform other client\u2011side attacks. The impact is limited to the client\u2019s browser execution context, but it can affect all visitors to the offending page.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate overall risk. An EPSS score of less than 1% suggests exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to be logged in to WordPress with Contributor or higher privileges and to use the plugin\u2019s attributes input to store malicious code. Once the code is stored, it will run automatically for any user who accesses the affected page, making it a stealthy but client\u2011side attack vector."}}}}, "created": "2025-08-05T11:39:00.118496+00:00", "updated": "2026-04-22T14:45:19.273052+00:00", "vendors": ["mediamanifesto", "mediamanifesto$PRODUCT$mmm_unity_loader", "wordpress", "wordpress$PRODUCT$wordpress"]}