Description
The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attachment_id’ parameter in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-05-28
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The WP Attachments plugin for WordPress is vulnerable in all versions up to 5.0.12 because the attachment_id parameter is not properly sanitized or escaped, which allows unauthenticated attackers to inject JavaScript that is reflected in the page. This reflected cross‑site scripting can execute malicious scripts in a victim's browser when a crafted link containing the vulnerable parameter is opened, potentially allowing an attacker to run arbitrary code within the context of the site.

Affected Systems

The affected product is the WP Attachments plugin from milmor. All releases up to and including version 5.0.12 are impacted. No other vendors are mentioned in the data.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, meaning it has not been widely exploited. Based on the description, the likely attack vector is unauthenticated via a malicious URL that includes an unsanitized attachment_id parameter, which triggers the script when the victim follows the link.

Generated by OpenCVE AI on April 21, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Attachments plugin to the newest available release, which is expected to contain a fix for the attachment_id XSS issue.
  • If an upgrade is not possible, review any custom code that accesses the attachment_id parameter and modify it to use WordPress escaping functions such as esc_attr() or esc_html() before rendering.
  • Implement a web application firewall or input sanitization rule to block or escape JavaScript payloads that might be included in the attachment_id query string before the content is sent to the browser.

Generated by OpenCVE AI on April 21, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16285 The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attachment_id’ parameter in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Wed, 28 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 May 2025 07:30:00 +0000

Type Values Removed Values Added
Description The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attachment_id’ parameter in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title WP Attachments <= 5.0.12 - Reflected Cross-Site Scripting via attachment_id Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:00.843Z

Reserved: 2025-05-22T08:37:13.219Z

Link: CVE-2025-5082

cve-icon Vulnrichment

Updated: 2025-05-28T14:32:55.173Z

cve-icon NVD

Status : Deferred

Published: 2025-05-28T08:15:23.227

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5082

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:45:25Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')