- Description
- The tarteaucitron.io WordPress plugin before 1.9.5 uses query parameters from YouTube oEmbed URLs without sanitizing these parameters correctly, which could allow users with the contributor role and above to perform Stored Cross-site Scripting attacks.
- Source
- contact@wpscan.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Secondary
- Base score
- 4.7
- Impact score
- 3.4
- Exploitability score
- 1.2
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
- Severity
- MEDIUM
- nvd@nist.gov
- CWE-79
- Hype score
- Not currently trending
CVE-2025-4955 Stored Cross-Site Scripting in https://t.co/iqgjExJzet WordPress Plugin Before 1.9.5 https://t.co/NRFgOOEqKQ
@VulmonFeeds
18 Jun 2025
88 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-4955 The https://t.co/uf1tu9qDdt WordPress plugin before 1.9.5 uses query parameters from YouTube oEmbed URLs without sanitizing these parameters correctly, which could allow users… https://t.co/vUIEGAwJTm
@CVEnew
18 Jun 2025
277 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:amauri:tarteaucitron.io:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"matchCriteriaId": "639523B6-E76D-4FAD-A0AA-02D3C2D43882",
"versionEndExcluding": "1.9.5"
}
],
"operator": "OR"
}
]
}
]