{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8906", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-12T19:59:58.661Z", "datePublished": "2025-09-26T01:47:26.080Z", "dateUpdated": "2026-04-08T16:34:48.521Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:48.521Z"}, "affected": [{"vendor": "trustindex", "product": "Widgets for Tiktok Feed", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Widgets for Tiktok Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trustindex-feed' shortcode in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Widgets for Tiktok Feed <= 1.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b070542-83fc-4086-a40d-15a8d31fadc5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363725%40widgets-for-tiktok-video-feed&new=3363725%40widgets-for-tiktok-video-feed&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-09-03T15:01:02.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-25T13:31:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-26T19:20:21.834378Z", "id": "CVE-2025-8906", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T19:21:10.064Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8906", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-26T19:20:21.834378Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T19:20:58.754Z"}}], "cna": {"title": "Widgets for Tiktok Feed <= 1.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "trustindex", "product": "Widgets for Tiktok Feed", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-03T15:01:02.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-25T13:31:12.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b070542-83fc-4086-a40d-15a8d31fadc5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363725%40widgets-for-tiktok-video-feed&new=3363725%40widgets-for-tiktok-video-feed&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Widgets for Tiktok Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trustindex-feed' shortcode in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:48.521Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8906", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:48.521Z", "dateReserved": "2025-08-12T19:59:58.661Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-26T01:47:26.080Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Widgets for Tiktok Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trustindex-feed' shortcode in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-8906", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-26T02:15:52.670", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363725%40widgets-for-tiktok-video-feed&new=3363725%40widgets-for-tiktok-video-feed&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b070542-83fc-4086-a40d-15a8d31fadc5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:17:18.451968+00:00", "value": {"mitigation_remediation": ["Update the Widgets for Tiktok Feed plugin to the latest available version (1.7.4 or newer) to fix the sanitization issue.", "Restrict contributor and other non\u2011admin roles from adding or editing content that uses the 'trustindex-feed' shortcode, or remove the shortcode from posts they can modify.", "Implement a content\u2011security\u2011policy header that limits executable scripts to trusted origins, which mitigates the impact of any residual or unforeseen XSS payloads."], "summary": {"action": "Patch Now", "impact": "Stored Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the Widgets for Tiktok Feed plugin for WordPress with version numbers up to and including 1.7.3 are affected. The vulnerability is present on any site that uses this plugin in those versions.", "description_and_impact": "The Widgets for Tiktok Feed plugin for WordPress is susceptible to stored cross\u2011site scripting through its 'trustindex-feed' shortcode. Because the plugin does not adequately sanitize or escape user\u2011supplied attributes, an authenticated user with contributor or higher privilege can inject malicious scripts that will run whenever a visitor loads a page containing the shortcode. This flaw corresponds to CWE\u201179 and allows attackers to hijack sessions, deface content, or perform other client\u2011side attacks.", "risk_and_exploitability": "The reported CVSS score of 6.4 ranks the flaw as moderate, while the EPSS score of less than 1% indicates a low current likelihood of exploitation. The flaw requires an authenticated contributor or higher role, meaning an attacker must first obtain sufficient permissions to add or edit the shortcode. Although not listed in the CISA KEV catalog, the combination of moderate severity and the need for elevated privileges means security teams should treat this as a noteworthy risk, especially on sites with open contributor access or shared hosting environments."}}}}, "created": "2025-09-26T11:35:24.141564+00:00", "updated": "2026-04-22T14:30:18.953074+00:00", "vendors": ["trustindex", "trustindex$PRODUCT$widgets_for_tiktok_feed", "wordpress", "wordpress$PRODUCT$wordpress"]}