CVE-2025-4955

{"id": "CVE-2025-4955", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.2}]}, "published": "2025-06-18T06:15:28.397", "references": [{"url": "https://wpscan.com/vulnerability/b84a73a4-7e9b-4994-a9bb-ad47f7cf45da/", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The tarteaucitron.io WordPress plugin before 1.9.5 uses query parameters from YouTube oEmbed URLs without sanitizing these parameters correctly, which could allow users with the contributor role and above to perform Stored Cross-site Scripting attacks."}, {"lang": "es", "value": "El complemento tarteaucitron.io de WordPress anterior a la versi\u00f3n 1.9.5 utiliza par\u00e1metros de consulta de las URL oEmbed de YouTube sin depurar estos par\u00e1metros correctamente, lo que podr\u00eda permitir a los usuarios con rol de colaborador y superior realizar ataques de Cross-site Scripting Almacenado."}], "lastModified": "2025-07-02T19:25:30.180", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:amauri:tarteaucitron.io:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "639523B6-E76D-4FAD-A0AA-02D3C2D43882", "versionEndExcluding": "1.9.5"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}