{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9057", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-15T09:51:00.695Z", "datePublished": "2025-09-05T18:23:33.783Z", "dateUpdated": "2026-04-08T17:20:46.404Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:46.404Z"}, "affected": [{"vendor": "Mikado Themes", "product": "Biagiotti Core", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Biagiotti Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Biagiotti Core <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4e1ce97-c390-4b87-b68d-bbce93d4665f?source=cve"}, {"url": "https://themeforest.net/item/biagiotti-beauty-and-cosmetics-shop/24645919"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "timeline": [{"time": "2025-08-15T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-08-22T16:11:22.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-05T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-05T18:40:48.632507Z", "id": "CVE-2025-9057", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-05T18:41:00.237Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9057", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-05T18:40:48.632507Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-05T18:40:51.795Z"}}], "cna": {"title": "Biagiotti Core <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "Mikado Themes", "product": "Biagiotti Core", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-15T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-08-22T16:11:22.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-05T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4e1ce97-c390-4b87-b68d-bbce93d4665f?source=cve"}, {"url": "https://themeforest.net/item/biagiotti-beauty-and-cosmetics-shop/24645919"}], "descriptions": [{"lang": "en", "value": "The Biagiotti Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:46.404Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9057", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:20:46.404Z", "dateReserved": "2025-08-15T09:51:00.695Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-05T18:23:33.783Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Biagiotti Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-9057", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-05T19:15:33.160", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/biagiotti-beauty-and-cosmetics-shop/24645919"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4e1ce97-c390-4b87-b68d-bbce93d4665f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:43:44.928942+00:00", "value": {"mitigation_remediation": ["Upgrade the Biagiotti Core plugin to the latest version (>= 2.1.4) which implements proper input validation and output escaping for shortcode attributes.", "Re\u2011review and clean existing posts and pages that contain shortcodes, removing any that contain untrusted attributes or scripts.", "Limit shortcode editing capabilities by restricting the Contributor role to content that does not include shortcodes, or disable shortcodes for users below Administrator level."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that allows authenticated contributors to inject arbitrary scripts which execute when any user accesses an affected page, enabling session hijacking, defacement, or data theft."}, "threat_synthesis": {"affected_systems": "Affected products are the Biagiotti Core WordPress plugin from Mikado Themes. Versions up to and including 2.1.3 are vulnerable. Any site running these versions is at risk until a fix is applied.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw that occurs when user\u2011supplied attributes in shortcode tags are not properly sanitized or escaped. It allows authenticated users with Contributor or higher permissions to inject malicious JavaScript which will run whenever any user views the affected page, potentially enabling session hijacking, defacement, or theft of sensitive data. This weakness is identified as CWE\u201179.", "risk_and_exploitability": "The CVSS base score is 6.4, indicating a moderate severity. With an EPSS score of less than 1\u202f% and no listing in CISA\u2019s KEV catalog, exploitation is expected to be rare, but the requirement of authenticated Contributor access means internal users can mount the attack. The risk remains significant for sites that allow contributors to edit content or use shortcodes, as the flaw leads to arbitrary script execution on front\u2011end pages."}}}}, "created": "2025-09-07T15:24:59.054143+00:00", "updated": "2026-04-20T19:45:15.513306+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}