CVE-2025-10129 - Vulnerability Details

- WordPress Live Webcam Widget & Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The WordPress Live Webcam Widget & Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'webcam' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-10-11

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WordPress Live Webcam Widget & Shortcode plugin is vulnerable because attributes given to the webcam shortcode are not properly sanitized or escaped. This flaw allows an authenticated user with contributor or higher privileges to inject malicious scripts into a page that any visitor sees. The injected payload executes in the victim’s browser when the page is viewed.

Affected Systems

The vulnerability affects the WordPress Live Webcam Widget & Shortcode plugin from miksco, in all releases up to and including version 1.2. Sites that have not updated beyond 1.2 are vulnerable.

Risk and Exploitability

The flaw has a CVSS score of 6.4, indicating moderate severity. The EPSS score is less than 1%, suggesting a low probability of active exploitation, and the vulnerability is not listed in the CISA KEV catalog. Because the attack requires authenticated contributor access, an attacker must log in to the WordPress site; once authenticated they can add content that includes the webcam shortcode with malicious attributes. The malicious script is stored and will run for any user who views the affected page, providing a persistent attack surface.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

miksco

WordPress Live Webcam Widget & Shortcode

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.2

No data.

Vendor	Product	Confidence	Versions
Miksco	Live Webcam Widget	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Live Webcam Widget & Shortcode plugin to the latest available version that contains the fix.
If an update cannot be applied immediately, restrict contributor and higher roles from adding the webcam shortcode or temporarily disable the shortcode until the plugin is patched.
Identify and remove any pages or posts that contain the webcam shortcode with injected attributes, cleaning the stored script content.

Generated by OpenCVE AI on April 22, 2026 at 00:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-webcam-widget-shortcode/trunk/wordpress-webcam.php#L174
https://www.wordfence.com/threat-intel/vulnerabilities/id/edc4875e-3eca-4c25-a65c-93182912cd24?source=cve

History

Tue, 21 Oct 2025 13:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Miksco Miksco live Webcam Widget Wordpress Wordpress wordpress
Vendors & Products		Miksco Miksco live Webcam Widget Wordpress Wordpress wordpress

Tue, 14 Oct 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 11 Oct 2025 09:45:00 +0000

Type	Values Removed	Values Added
Description		The WordPress Live Webcam Widget & Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'webcam' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		WordPress Live Webcam Widget & Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/wp-webcam-widget-shortcode/trunk/wordpress-webcam.php#L174 https://www.wordfence.com/threat-intel/vulnerabilities/id/edc4875e-3eca-4c25-a65c-93182912cd24?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Miksco Live Webcam Widget

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-10-11T09:28:42.420Z

Updated: 2026-04-08T17:31:39.872Z

Reserved: 2025-09-08T19:23:46.130Z

Link: CVE-2025-10129

Vulnrichment

Updated: 2025-10-14T18:31:52.591Z

NVD

Status : Deferred

Published: 2025-10-11T10:15:40.453

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10129

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object