cleantalk
Vulnerabilities and Security Researches

Lottie Player block – Implement Lottie animations., CVE-2025-2579

CVE, Research URL

CVE-2025-2579

Home page URL

Security reports for Lottie Player block – Implement Lottie animations.

Application

Lottie Player block – Implement Lottie animations.

Published on
Apr 24, 2025
Research Description
The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file.
Affected versions
Min -, max 1.1.8.
Status
vulnerable
Previous vulnerability researches
Rank Math SEO with AI SEO Tools (CVE-2023-23888) , Jun 07, 2024
Rank Math SEO with AI SEO Tools (CVE-2020-11514) , Jun 07, 2024
Rank Math SEO with AI SEO Tools (CVE-2020-11515) , Jun 07, 2024
Rank Math SEO with AI SEO Tools (CVE-2019-14786) , Jun 07, 2024
Rank Math SEO with AI SEO Tools (CVE-2024-3665) , Jun 07, 2024
New vulnerability
Appsero Helper (CVE-2025-39377) , Apr 26, 2025
Lottie Player block – Implement Lottie animations. (CVE-2025-2579) , Apr 26, 2025
360 Product Rotation (CVE-2024-13823) , Apr 26, 2025
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin (CVE-2025-39400) , Apr 26, 2025
License For Envato (CVE-2025-39399) , Apr 25, 2025