{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9058", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-15T09:51:32.031Z", "datePublished": "2025-09-09T05:25:43.453Z", "dateUpdated": "2026-04-08T17:23:32.735Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:32.735Z"}, "affected": [{"vendor": "Mikado Themes", "product": "Mikado Core", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Mikado Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Mikado Core <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cba546d8-df3e-4ada-9cf9-663baf175dd0?source=cve"}, {"url": "https://themeforest.net/user/mikado-themes/portfolio"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "timeline": [{"time": "2025-08-15T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-08-22T16:15:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-08T17:10:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-09T19:25:42.612506Z", "id": "CVE-2025-9058", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-09T19:25:49.859Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9058", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-09T19:25:42.612506Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-09T19:25:46.679Z"}}], "cna": {"title": "Mikado Core <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "Mikado Themes", "product": "Mikado Core", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-15T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-08-22T16:15:05.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-08T17:10:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cba546d8-df3e-4ada-9cf9-663baf175dd0?source=cve"}, {"url": "https://themeforest.net/user/mikado-themes/portfolio"}], "descriptions": [{"lang": "en", "value": "The Mikado Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:32.735Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9058", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:23:32.735Z", "dateReserved": "2025-08-15T09:51:32.031Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-09T05:25:43.453Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Mikado Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-9058", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-09T06:15:34.237", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/user/mikado-themes/portfolio"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cba546d8-df3e-4ada-9cf9-663baf175dd0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:41:22.211659+00:00", "value": {"mitigation_remediation": ["Upgrade Mikado Core to the latest version, ensuring it is newer than 1.5.2.", "If an upgrade is not immediately possible, remove or disable the use of shortcodes that accept user input on public\u2011facing pages.", "Apply WordPress content sanitization filters or plugins that prevent execution of embedded scripts in user\u2011generated content."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via Shortcode"}, "threat_synthesis": {"affected_systems": "All installations of Mikado Core version 1.5.2 or earlier are affected. The vulnerability applies to any WordPress site that uses this plugin and permits contributors or higher roles to insert or edit page content. No specific patch version is listed in the supplied data, so administrators should verify that the plugin has been updated beyond 1.5.2.", "description_and_impact": "The Mikado Core plugin for WordPress contains a stored cross\u2011site scripting vulnerability that is triggered by maliciously crafted shortcodes. When a user with contributor or higher privileges submits content containing user\u2011supplied attributes that are not properly sanitized or escaped, the payload is saved into the page. Any visitor who loads the affected page will have the malicious script executed in their browser, allowing the attacker to steal information, hijack sessions, or deface the site. The weakness is a classic input validation error (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity impact. The EPSS score of < 1% suggests that exploitation is unlikely but still possible, especially against sites with many users. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires an authenticated user with contributor permissions, so any compromised contributor account can serve as a foothold to inject the payload. If an attacker controls such an account, the malicious script will run for all site visitors who view the affected page."}}}}, "created": "2025-09-09T21:31:38.217596+00:00", "updated": "2026-04-20T19:45:15.510559+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}