{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8691", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-06T21:53:41.704Z", "datePublished": "2025-09-11T07:25:03.555Z", "dateUpdated": "2026-04-08T17:33:38.133Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:38.133Z"}, "affected": [{"vendor": "softmus", "product": "WP Scriptcase", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Scriptcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP Scriptcase <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6cb6fbc-456d-4912-a574-cb25ab16df3a?source=cve"}, {"url": "https://plugins.svn.wordpress.org/wp-scriptcase/trunk/wpscriptcase.php"}, {"url": "https://wordpress.org/plugins/wp-scriptcase/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-09-10T18:51:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-11T13:31:36.266886Z", "id": "CVE-2025-8691", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:36:52.311Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8691", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-11T13:31:36.266886Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T13:31:38.612Z"}}], "cna": {"title": "WP Scriptcase <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "softmus", "product": "WP Scriptcase", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-10T18:51:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6cb6fbc-456d-4912-a574-cb25ab16df3a?source=cve"}, {"url": "https://plugins.svn.wordpress.org/wp-scriptcase/trunk/wpscriptcase.php"}, {"url": "https://wordpress.org/plugins/wp-scriptcase/#developers"}], "descriptions": [{"lang": "en", "value": "The WP Scriptcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:38.133Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8691", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:38.133Z", "dateReserved": "2025-08-06T21:53:41.704Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-11T07:25:03.555Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Scriptcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-8691", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-11T08:15:35.620", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/wp-scriptcase/trunk/wpscriptcase.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wp-scriptcase/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6cb6fbc-456d-4912-a574-cb25ab16df3a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:49:04.586096+00:00", "value": {"mitigation_remediation": ["Upgrade WP Scriptcase to the latest available version that removes the 'url' parameter issue.", "If an upgrade is not immediately possible, disable the plugin or remove the 'url' input functionality and restrict page editing to administrator users only.", "Deploy a robust content security policy that limits the execution of inline scripts to mitigate the impact of any residual XSS injection."], "summary": {"action": "Apply Patch", "impact": "Stored XSS that allows an authenticated contributor or higher to inject and execute arbitrary scripts on pages viewed by users"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WP Scriptcase plugin from vendor softmus, all releases up to and including version\u202f2.0.0. The flaw is present in every installation of the plugin in this range, regardless of WordPress version.", "description_and_impact": "The WP Scriptcase plugin contains a stored cross\u2011site scripting flaw triggered by the unfiltered 'url' parameter. When a contributor\u2011level user submits a malicious value in this field, the script is persisted and later rendered unescaped in page content. This enables the attacker to run scripts in the browser context of any user who visits the affected page. The weakness is a classic input validation and output encoding failure (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity risk. The EPSS score of less than 1\u202f% reflects a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers need authenticated access to the WordPress site with at least contributor privileges; the flaw is exploited by submitting a crafted URL parameter that is later stored and executed when the page is viewed by any visitor."}}}}, "created": "2025-09-12T09:11:21.395804+00:00", "updated": "2026-04-20T22:00:11.182219+00:00", "vendors": ["softmus", "softmus$PRODUCT$wp_scriptcase_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}