{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9488", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-26T12:49:36.739Z", "datePublished": "2025-12-13T04:31:33.327Z", "dateUpdated": "2026-04-08T17:23:21.320Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:21.320Z"}, "affected": [{"vendor": "davidanderson", "product": "Redux Framework", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.5.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Redux Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018data\u2019 parameter in all versions up to, and including, 4.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Redux Framework <= 4.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via data Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cabf776d-8749-45a8-94c1-7d1eef93a183?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.5.7/redux-core/inc/extensions/shortcodes/class-redux-shortcodes.php#L205"}, {"url": "https://wordpress.org/plugins/redux-framework/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402803%40redux-framework&new=3402803%40redux-framework&sfp_email=&sfph_mail=#file22"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-11-19T16:55:59.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-12T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:43:04.148093Z", "id": "CVE-2025-9488", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:46:53.451Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9488", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:43:04.148093Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:43:05.243Z"}}], "cna": {"title": "Redux Framework <= 4.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via data Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "davidanderson", "product": "Redux Framework", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.5.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-19T16:55:59.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-12T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cabf776d-8749-45a8-94c1-7d1eef93a183?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.5.7/redux-core/inc/extensions/shortcodes/class-redux-shortcodes.php#L205"}, {"url": "https://wordpress.org/plugins/redux-framework/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402803%40redux-framework&new=3402803%40redux-framework&sfp_email=&sfph_mail=#file22"}], "descriptions": [{"lang": "en", "value": "The Redux Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018data\u2019 parameter in all versions up to, and including, 4.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:21.320Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9488", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:23:21.320Z", "dateReserved": "2025-08-26T12:49:36.739Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T04:31:33.327Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Redux Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018data\u2019 parameter in all versions up to, and including, 4.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-9488", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:57.153", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.5.7/redux-core/inc/extensions/shortcodes/class-redux-shortcodes.php#L205"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402803%40redux-framework&new=3402803%40redux-framework&sfp_email=&sfph_mail=#file22"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/redux-framework/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cabf776d-8749-45a8-94c1-7d1eef93a183?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T18:56:14.065749+00:00", "value": {"mitigation_remediation": ["Upgrade Redux Framework to version 4.5.9 or later, which removes the input sanitization flaw.", "If an immediate upgrade is not possible, remove or manually sanitize any stored values in the data parameter, ensuring they are properly escaped before output.", "Restrict Contributor roles from accessing areas that allow input of the data parameter, or enforce stricter input validation and output escaping in line with CWE\u201179 mitigation guidelines."], "summary": {"action": "Apply Patch", "impact": "Stored Cross-Site Scripting via the data parameter (CWE\u201179)."}, "threat_synthesis": {"affected_systems": "WordPress sites running the Redux Framework plugin, specifically any installation of versions 4.5.8 or earlier. The vendor identified in the CNA is davidanderson. No further version granularity is provided beyond the upper bound of 4.5.8.", "description_and_impact": "The Redux Framework plugin for WordPress is vulnerable to stored XSS through insufficient sanitization of the data parameter in all releases up to and including version 4.5.8. An attacker who can authenticate with Contributor privileges or higher can inject malicious scripts into site pages, and those scripts will run whenever another user views the affected page, enabling session hijacking, defacement, or phishing attempts. This weakness directly affects web\u2011application integrity and user confidentiality.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of less than 1\u202f% implies a low but non\u2011zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no active, widespread exploitation has been reported. Attackers would need to first gain contributor\u2011level access to the site; once that condition is met, the stored payload can be triggered by any page viewer. Given these constraints, the threat remains significant for sites with many contributors but is limited compared to remote code execution scenarios."}}}}, "created": "2025-12-14T21:14:57.035178+00:00", "updated": "2026-04-20T19:00:10.697404+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}