Description
The Amministrazione Trasparente plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-08-31
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (authenticated admin)
Action: Immediate Patch
AI Analysis

Impact

The Amministrazione Trasparente WordPress plugin contains a stored cross‑site scripting flaw that permits an attacker with administrator privileges to insert arbitrary JavaScript into plugin settings. Once injected, the malicious script runs in the browsers of any user who views the affected page, enabling session hijacking, credential theft, or defacement. The weakness is rooted in insufficient input sanitization and the omission of explicit output escaping, which is reflected in CWE‑79. The capability is limited to authenticated users with administrative roles; unauthenticated users cannot trigger it.

Affected Systems

Users operating a multi‑site WordPress installation that includes milmor’s Amministrazione Trasparente plugin at version 9.0 or earlier, and where the option unfiltered_html is disabled, are vulnerable. The vulnerability applies only to this plugin and is bounded to the installation mentioned; other plugins or WordPress core are not directly affected.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation in the near term, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector requires authenticated administrator access; therefore, an attacker must first compromise or compromise credentials for an administrative account. There is no evidence of a public exploit at this time, but the potential for malicious JavaScript rendering raises user‑level risk if compromise occurs.

Generated by OpenCVE AI on April 22, 2026 at 00:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Amministrazione Trasparente plugin to the latest version (9.1 or later) to remove the vulnerability.
  • If an update is not feasible, limit administrator accounts to trusted personnel and disable the unfiltered_html option to reduce the attack surface.
  • Scan the plugin’s settings options for previously injected scripts and delete any malicious entries, or temporarily deactivate the plugin until a patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 00:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26456 The Amministrazione Trasparente plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
History

Tue, 02 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Amministrazione Trasparente Project
Amministrazione Trasparente Project amministrazione Trasparente
Wordpress
Wordpress wordpress
Vendors & Products Amministrazione Trasparente Project
Amministrazione Trasparente Project amministrazione Trasparente
Wordpress
Wordpress wordpress

Sun, 31 Aug 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Amministrazione Trasparente plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Amministrazione Trasparente <= 9.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via print_r Function
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Amministrazione Trasparente Project Amministrazione Trasparente
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:04.096Z

Reserved: 2025-05-22T08:46:01.922Z

Link: CVE-2025-5083

cve-icon Vulnrichment

Updated: 2025-09-02T20:45:14.988Z

cve-icon NVD

Status : Deferred

Published: 2025-08-31T05:15:32.410

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses