Description
The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The AM LottiePlayer plugin for WordPress allows users with Author or higher roles to upload SVG files. The plugin does not sanitize or escape the content of those SVG files, which leads to stored cross‑site scripting. A malicious actor can embed JavaScript within the SVG, and the script will execute in the browsers of visitors who view the affected page, allowing the attacker to run arbitrary scripts on the site.

Affected Systems

The flaw is present in all releases of AM LottiePlayer up to and including version 3.6.0. WordPress sites that have this plugin installed and permit Author‑level users to upload SVG files are impacted. Any site that has not upgraded beyond 3.6.0 should be inspected for the presence of the plugin and the uploaded SVG content.

Risk and Exploitability

The CVSS base score of 5.4 indicates a moderate severity vulnerability. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower current exploitation likelihood. Nonetheless, the requirement for an authenticated Author or higher user to upload an SVG is a realistic scenario in many collaborative WordPress environments. Once exploited, the injected script runs for every visitor to the affected page, providing a persistent attack surface. The exploitation path is straightforward: an authenticated user uploads a crafted SVG through the plugin’s interface.

Generated by OpenCVE AI on April 8, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AM LottiePlayer to the latest version (3.6.1 or newer) to eliminate the SVG sanitization issue.
  • If an update cannot be performed immediately, remove the ability for Author‑level users to upload SVG files or disable the upload feature entirely.
  • Search the uploads directory for any SVG files that may contain malicious content and delete or sanitize them.
  • Review site content for injected scripts and remove any that are found.
  • Ensure that WordPress core and other plugins are current, restrict user roles appropriately, and consider deploying a web application firewall to block XSS payloads.

Generated by OpenCVE AI on April 8, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Johanaarstein
Johanaarstein am Lottieplayer
Wordpress
Wordpress wordpress
Vendors & Products Johanaarstein
Johanaarstein am Lottieplayer
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title AM LottiePlayer <= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Johanaarstein Am Lottieplayer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:54.482Z

Reserved: 2025-02-28T18:43:27.517Z

Link: CVE-2025-1794

cve-icon Vulnrichment

Updated: 2026-04-08T14:47:24.759Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T07:16:19.643

Modified: 2026-04-27T19:04:22.650

Link: CVE-2025-1794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:31Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')