cleantalk
Vulnerabilities and Security Researches

Lottie Player block – Implement Lottie animations., CVE-2025-2579

CVE, Research URL

CVE-2025-2579

Home page URL

Security reports for Lottie Player block – Implement Lottie animations.

Application

Lottie Player block – Implement Lottie animations.

Published on
Apr 24, 2025
Research Description
The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file.
Affected versions
Min -, max 1.1.8.
Status
vulnerable
Previous vulnerability researches
WPExperts Square For GiveWP (CVE-2024-13713) , Feb 22, 2025
WPExperts Square For GiveWP (CVE-2024-47338) , Sep 30, 2024
New vulnerability
WoWHead Tooltips (CVE-2025-46449) , Apr 26, 2025
Bulk Assign Linked Products For WooCommerce (CVE-2025-46489) , Apr 26, 2025
WP Customize Login Page (CVE-2025-46485) , Apr 26, 2025
WP Customize Login Page (CVE-2025-46477) , Apr 26, 2025
Social Counter (CVE-2025-46473) , Apr 26, 2025