{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8690", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-06T21:50:58.724Z", "datePublished": "2025-08-12T02:24:47.163Z", "dateUpdated": "2026-04-08T17:01:55.132Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:55.132Z"}, "affected": [{"vendor": "addix", "product": "Simple Responsive Slider", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple Responsive Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Simple Responsive Slider <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7888aedb-5421-4c3a-8459-d6177b398a06?source=cve"}, {"url": "https://plugins.svn.wordpress.org/addi-simple-slider/tags/2.0/methods.php"}, {"url": "https://wordpress.org/plugins/addi-simple-slider/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-08-11T14:05:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-12T13:30:30.216920Z", "id": "CVE-2025-8690", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-13T20:19:04.998Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8690", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-12T13:30:30.216920Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T13:30:31.356Z"}}], "cna": {"title": "Simple Responsive Slider <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "muhammad yudha"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "addix", "product": "Simple Responsive Slider", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-11T14:05:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7888aedb-5421-4c3a-8459-d6177b398a06?source=cve"}, {"url": "https://plugins.svn.wordpress.org/addi-simple-slider/tags/2.0/methods.php"}, {"url": "https://wordpress.org/plugins/addi-simple-slider/#developers"}], "descriptions": [{"lang": "en", "value": "The Simple Responsive Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-12T02:24:47.163Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8690", "state": "PUBLISHED", "dateUpdated": "2025-08-13T20:19:04.998Z", "dateReserved": "2025-08-06T21:50:58.724Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-12T02:24:47.163Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple Responsive Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Simple Responsive Slider para WordPress es vulnerable a Cross-Site Scripting almacenado en todas las versiones hasta la 2.0 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-8690", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-12T03:15:29.977", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/addi-simple-slider/tags/2.0/methods.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/addi-simple-slider/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7888aedb-5421-4c3a-8459-d6177b398a06?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:24:58.844807+00:00", "value": {"mitigation_remediation": ["Upgrade Simple Responsive Slider to the latest version available from the WordPress repository.", "If an upgrade cannot be performed immediately, remove the plugin or deactivate all contributor accounts until a patched version is installed.", "Apply a security plugin or custom ACL to restrict the Contributor role from adding or editing slider content.", "Monitor for unexpected script insertions."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected vendor is addix, product Simple Responsive Slider, all versions up to and including 2.0. No specific patch version is provided in the CNA data.", "description_and_impact": "The Simple Responsive Slider plugin for WordPress is vulnerable to stored Cross\u2011Site Scripting in all versions up to and including 2.0 due to insufficient input sanitization and output escaping. Authenticated users with Contributor level or higher can inject arbitrary scripts into pages that are then executed whenever any user views an affected page, potentially compromising user credentials or defacing the site.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4 and an EPSS score of less than 1%, indicating a relatively low likelihood of exploitation at this time. It is not listed in the CISA KEV catalog. The expected attack vector is a local authenticated attack where a contributor or higher writes malicious content into the slider. Because the attacker must first gain or use an existing contributor account, the risk is confined to sites with many contributor users, but once injected the script can affect all users who view the compromised page."}}}}, "created": "2025-08-12T11:46:50.556798+00:00", "updated": "2026-04-21T19:30:06.089759+00:00", "vendors": ["addix", "addix$PRODUCT$simple_responsive_slider_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}