CVE Details
Basic Information
| Title | Auto Attachments <= 1.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting |
|---|---|
| Type | cve |
| Published | 2025-06-13T07:23:46.262Z |
| Last Seen |
Product Information
| Vendor | kaisercrazy |
|---|---|
| Product | Auto Attachments |
| Version | * |
CVSS Information
| Base Score | 5.5 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L |
| Confidentiality Impact | |
| Integrity Impact | |
| Availability Impact |
AI Analysis
| AI Description | The Auto Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via admin settings in versions up to 1.8.5. This vulnerability allows authenticated attackers with administrator privileges to inject malicious scripts into pages, which execute when accessed. It only affects multi-site installations and those with unfiltered_html disabled. |
|---|---|
| AI Severity | Medium |
| Vendor | WordPress Community |
| Product | Auto Attachments |
| Affected Version | <= 1.8.5 |
Affected Products
- kaisercrazy Auto Attachments *
Additional Information
| CVE List | |
|---|---|
| CWE List | CWE-79 |
| Bulletin Family |
References
Description
The Auto Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.