Search criteria
2 vulnerabilities by taeggie
CVE-2025-6382 (GCVE-0-2025-6382)
Vulnerability from cvelistv5 – Published: 2025-07-24 09:22 – Updated: 2025-07-24 13:14
VLAI?
Title
Taeggie Feed <= 0.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Attribute
Summary
The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's taeggie-feed shortcode in all versions up to, and including, 0.1.10. The plugin’s render() method takes the user-supplied name attribute and injects it directly into a <script> tag - both in the id attribute and inside jQuery.getScript() - without proper escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| taeggie | Taeggie Feed |
Affected:
* , ≤ 0.1.10
(semver)
|
Credits
Gilang Asra Bilhadi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-24T13:14:02.416245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-24T13:14:06.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Taeggie Feed",
"vendor": "taeggie",
"versions": [
{
"lessThanOrEqual": "0.1.10",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilang Asra Bilhadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s taeggie-feed shortcode in all versions up to, and including, 0.1.10. The plugin\u2019s render() method takes the user-supplied name attribute and injects it directly into a \u003cscript\u003e tag - both in the id attribute and inside jQuery.getScript() - without proper escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-24T09:22:20.550Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f5ac78-5195-4b59-abc7-f41e487f9361?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/taeggie-feed/trunk/taeggie_feed.php"
},
{
"url": "https://wordpress.org/plugins/taeggie-feed/#developers"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-23T20:45:47.000+00:00",
"value": "Disclosed"
}
],
"title": "Taeggie Feed \u003c= 0.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-6382",
"datePublished": "2025-07-24T09:22:20.550Z",
"dateReserved": "2025-06-19T19:29:21.307Z",
"dateUpdated": "2025-07-24T13:14:06.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11748 (GCVE-0-2024-11748)
Vulnerability from cvelistv5 – Published: 2024-12-18 02:08 – Updated: 2024-12-18 16:36
VLAI?
Title
Taeggie Feed <= 0.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'taeggie-feed' shortcode in all versions up to, and including, 0.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| taeggie | Taeggie Feed |
Affected:
* , ≤ 0.1.9
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-18T16:24:24.731305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T16:36:48.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Taeggie Feed",
"vendor": "taeggie",
"versions": [
{
"lessThanOrEqual": "0.1.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027taeggie-feed\u0027 shortcode in all versions up to, and including, 0.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T02:08:59.494Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65d11459-5cad-4d8b-a81d-7f0dd4342a52?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/taeggie-feed/trunk/taeggie_feed.php#L40"
},
{
"url": "https://wordpress.org/plugins/taeggie-feed/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3207857%40taeggie-feed\u0026new=3207857%40taeggie-feed\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-17T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Taeggie Feed \u003c= 0.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11748",
"datePublished": "2024-12-18T02:08:59.494Z",
"dateReserved": "2024-11-26T14:32:53.194Z",
"dateUpdated": "2024-12-18T16:36:48.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}