tarteaucitron.io < 1.9.5 – Contributor+ Stored XSS | CVE 2025-4955 | Plugin Vulnerabilities

Description

The plugin uses query parameters from YouTube oEmbed URLs without sanitizing these parameters correctly, which could allow users with the contributor role and above to perform Stored Cross-site Scripting attacks.

Proof of Concept

As a contributor create a new post containing this shortcode:

`[embed]https://www.youtube.com/playlist?v=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28%29%3E&amp;list=PLlWI1CyFqWe_uaplg09BoQUOzOIeXe4e3[/embed]`

When the post is displayed, the JS is executed.

Affects Plugins

tarteaucitronjs

Fixed in 1.9.5

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Pierre Rudloff

Submitter

Pierre Rudloff

Verified

Yes

WPVDB ID

b84a73a4-7e9b-4994-a9bb-ad47f7cf45da

Timeline

Publicly Published

2025-05-28 (about 7 months ago)

Added

2025-05-28 (about 7 months ago)

Last Updated

2025-05-28 (about 7 months ago)

Other

Published

Title

Published

2014-08-01

Title

Amerisale-Re - netriesdetail/upload.php edit Parameter Reflected XSS

Published

2024-11-22

Title

Twitter Follow Button < 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via username Parameter

Published

2021-10-14

Title

HAL < 2.2 - Admin+ Stored Cross-Site Scripting

Published

2024-09-30

Title

AVIF & SVG Uploader < 1.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Published

2025-10-06

Title

Betheme <= 28.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting