Skip to main content

Tarteaucitron.Io EUVD-2025-18664

| CVE-2025-4955 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-06-18 contact@wpscan.com
WordPress XSS Tarteaucitron.Io PHP
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Patch available
Apr 16, 2026 - 05:29 EUVD
1.9.5
EUVD ID Assigned
Mar 14, 2026 - 22:49 euvd
EUVD-2025-18664
Analysis Generated
Mar 14, 2026 - 22:49 vuln.today
PoC Detected
Jul 02, 2025 - 19:25 vuln.today
Public exploit code
CVE Published
Jun 18, 2025 - 06:15 nvd
MEDIUM 4.7

DescriptionCVE.org

The tarteaucitron.io WordPress plugin before 1.9.5 uses query parameters from YouTube oEmbed URLs without sanitizing these parameters correctly, which could allow users with the contributor role and above to perform Stored Cross-site Scripting attacks.

Analysis

The tarteaucitron.io WordPress plugin before 1.9.5 uses query parameters from YouTube oEmbed URLs without sanitizing these parameters correctly, which could allow users with the contributor role and above to perform Stored Cross-site Scripting attacks.

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

Share

EUVD-2025-18664 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy