Description
The Typed JS: A typewriter style animation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘typespeed’ parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-02-20
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Typed JS: A typewriter style animation plugin for WordPress. It stems from insufficient input sanitization and output escaping of the 'typespeed' parameter in all plugin versions up to and including 1.2.0. An authenticated user with Contributor or higher privileges can inject arbitrary JavaScript into the plugin settings, and the payload is persisted and served to any user who views the affected page, allowing the attacker to execute malicious scripts in the victim’s browser.

Affected Systems

Impact is confined to installations of the Typed JS: A typewriter style animation plugin provided by mrlegend1235 on WordPress sites, specifically versions 1.0 through 1.2.0. No other plugins or WordPress core components are affected according to the CNA data.

Risk and Exploitability

CVM’s CVSS score of 6.4 reflects a medium severity risk. The EPSS score of less than 1% indicates a very low probability of exploitation, and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be the plugin’s options page: an authenticated Contributor‑level user can post malicious code via the typespeed field, store it in the database, and have it executed when anyone loads the page that includes the plugin. Because the flaw requires authenticated access and only affects users who view the affected content, exploitation is limited to the reach of the victim’s audience.

Generated by OpenCVE AI on April 20, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Typed JS plugin to the latest version, which removes the vulnerability.
  • If an immediate update is not possible, restrict Contributor and higher roles from editing or saving the plugin’s options, effectively blocking the injection vector.
  • After updating or tightening permissions, cleanse the affected database entries to remove any injected scripts and verify that the typespeed parameter is stored safely.

Generated by OpenCVE AI on April 20, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4606 The Typed JS: A typewriter style animation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘typespeed’ parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 25 Feb 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Mrlegend1235
Mrlegend1235 typed Js
CPEs cpe:2.3:a:mrlegend1235:typed_js:*:*:*:*:*:wordpress:*:*
Vendors & Products Mrlegend1235
Mrlegend1235 typed Js

Thu, 20 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 20 Feb 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Typed JS: A typewriter style animation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘typespeed’ parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Typed JS: A typewriter style animation <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via typespeed Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Mrlegend1235 Typed Js
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:59.958Z

Reserved: 2025-02-15T00:01:19.814Z

Link: CVE-2025-1328

cve-icon Vulnrichment

Updated: 2025-02-20T14:21:16.914Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-20T10:15:12.337

Modified: 2025-02-25T18:03:46.410

Link: CVE-2025-1328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses