CVE-2025-5083
BaseFortify
Publication date: 2025-08-31
Last updated on: 2025-09-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpgov | amministrazione_trasparente | 9.0 |
| wpgov | amministrazione_trasparente | 9.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Amministrazione Trasparente WordPress plugin is a Stored Cross-Site Scripting (XSS) issue affecting versions up to and including 9.0. It occurs due to insufficient input sanitization and output escaping in the admin settings. Authenticated users with administrator-level permissions or higher can inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page. This vulnerability specifically affects multi-site installations and installations where the unfiltered_html setting is disabled. [2]
How can this vulnerability impact me? :
This vulnerability allows an attacker with administrator-level access to inject malicious scripts into the website's pages. These scripts can execute in the context of users visiting the affected pages, potentially leading to unauthorized actions such as stealing user credentials, performing actions on behalf of users, or defacing the site. Since the vulnerability is a stored XSS, the malicious code persists and affects all users who access the injected content, increasing the risk and impact. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the Amministrazione Trasparente WordPress plugin is installed and running a version up to and including 9.0 on a multi-site installation or where unfiltered_html is disabled. Additionally, administrative interface warnings about documents without associated taxonomy terms ('tipologie') or duplicate taxonomy term associations can indicate potential issues. There are no specific network commands provided, but inspecting the plugin version via WordPress backend or using WP-CLI commands like `wp plugin list` to check the plugin version can help detect vulnerable installations. Also, reviewing the plugin settings and taxonomy associations in the WordPress admin panel can help identify misconfigurations that might be exploited. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Amministrazione Trasparente plugin to version 9.1 or later, which contains security enhancements such as strict sanitization of settings and group configurations, output escaping, and improved taxonomy management to prevent injection attacks. Additionally, review and correct any taxonomy term associations and group configurations to avoid duplicates or unassociated terms. Ensuring that only trusted administrators have access to the plugin settings and that unfiltered_html is enabled only if necessary can also reduce risk. [2]