{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9333", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-21T22:23:14.471Z", "datePublished": "2025-10-03T11:17:08.738Z", "dateUpdated": "2026-04-08T16:42:45.565Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:45.565Z"}, "affected": [{"vendor": "ibachal", "product": "Smart Docs", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Smart Docs <= 1.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/269b0edd-2358-4a71-8fbe-de9a1c939807?source=cve"}, {"url": "https://wordpress.org/plugins/smart-docs/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-02T22:34:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-03T17:57:12.268821Z", "id": "CVE-2025-9333", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:00:08.745Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9333", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-03T17:57:12.268821Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T17:57:17.638Z"}}], "cna": {"title": "Smart Docs <= 1.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "ibachal", "product": "Smart Docs", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-02T22:34:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/269b0edd-2358-4a71-8fbe-de9a1c939807?source=cve"}, {"url": "https://wordpress.org/plugins/smart-docs/#developers"}], "descriptions": [{"lang": "en", "value": "The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:45.565Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9333", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:42:45.565Z", "dateReserved": "2025-08-21T22:23:14.471Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-03T11:17:08.738Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-9333", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-03T12:15:48.107", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/smart-docs/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/269b0edd-2358-4a71-8fbe-de9a1c939807?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:51:48.091825+00:00", "value": {"mitigation_remediation": ["Upgrade Smart Docs to the latest version available to address the stored XSS flaw", "Re\u2011enable the unfiltered_html capability only for trusted services or remove it entirely from the admin role in the affected multi\u2011site installation", "Implement a strong Content Security Policy that disallows inline scripts to mitigate the impact if the flaw persists until the patch is applied", "Regularly scan the plugin configuration for injected content to detect any residual exposure"], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting via authenticated admin settings"}, "threat_synthesis": {"affected_systems": "The flaw afflicts versions of the Smart Docs plugin up to and including 1.1.1 distributed by the vendor ibachal. It is specific to WordPress installations configured for multiple sites and where the option to allow unfiltered_html output has been turned off, meaning it only applies to environments that have tightened the default filtering behavior for administrators. All other single\u2011site installs or those retaining the unfiltered_html setting are unaffected.", "description_and_impact": "The Smart Docs plugin for WordPress contains a stored Cross\u2011Site Scripting weakness in its admin configuration that is triggered by insufficient input filtering and lack of output escaping. An attacker who has administrator channel access and above in a multi\u2011site WordPress deployment where the unfiltered_html capability has been disabled can embed arbitrary client\u2011side scripts that will be served to any user who views the affected configuration pages. This flaw gives the attacker the ability to run code in the victim\u2019s browser context, potentially compromising session cookies, defacing content, or exfiltrating sensitive information, thereby jeopardising both confidentiality and integrity as well as the broader availability of the site to legitimate users.", "risk_and_exploitability": "The CVSS score of 5.5 rates this flaw as medium severity, but the EPSS estimate of less than 1% indicates a very low probability of real\u2011world exploitation at this time. Because the vulnerability requires administrator\u2011level authentication and a specific multi\u2011site configuration with filtered HTML, the likelihood of widespread deployment of an attack vector remains low, and the flaw is not currently listed in CISA\u2019s KEV catalog. Nevertheless, once a site owner has granted admin rights in a filtered environment, the attacker can quickly poison the stored configuration data, allowing the malicious script to run on every subsequent view by any logged\u2011on user."}}}}, "created": "2025-10-06T14:43:11.850954+00:00", "updated": "2026-04-22T17:00:12.325022+00:00", "vendors": ["ibachal", "ibachal$PRODUCT$smart_docs", "wordpress", "wordpress$PRODUCT$wordpress"]}