CVE-2025-1529 in AM LottiePlayer
Summary
by MITRE • 05/01/2025
The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded lottie files in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/01/2025
The AM LottiePlayer plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2025-1529 affecting all versions through 3.5.3. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's handling of uploaded lottie files. The flaw allows authenticated attackers who possess Author-level permissions or higher to inject malicious JavaScript code into the WordPress environment through the lottie file upload functionality. The vulnerability operates as a stored XSS attack because the malicious scripts are permanently stored within the plugin's processing mechanisms and executed whenever affected pages are accessed by any user, including administrators and regular site visitors.
The technical implementation of this vulnerability occurs when the plugin processes lottie files without proper sanitization of user-supplied data. Lottie files are typically JSON-based animation files that contain various properties and parameters, but the plugin fails to adequately validate or sanitize these inputs before storing them within the WordPress database. When these stored lottie files are subsequently rendered or processed, the malicious JavaScript code becomes embedded in the page output, creating a persistent vector for exploitation. This represents a CWE-79 vulnerability category, specifically classified as a stored cross-site scripting flaw where the malicious input is stored on the server and then served to other users without proper sanitization. The attack requires minimal privileges since authors can upload lottie files, making this a particularly concerning weakness for WordPress installations.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform various malicious activities within the compromised WordPress environment. An attacker could potentially steal user sessions, modify content, redirect users to malicious sites, or even escalate privileges within the WordPress installation. The vulnerability affects all users who access pages containing the malicious lottie files, making it a widespread threat that could impact site administrators, contributors, and regular visitors. The stored nature of the vulnerability means that even users who do not directly interact with the malicious content could be compromised simply by accessing pages that contain the injected scripts, creating a persistent threat vector that remains active until the malicious code is removed from the system.
Mitigation strategies for CVE-2025-1529 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Organizations should implement strict file validation mechanisms that reject lottie files containing suspicious or malformed JavaScript code before processing them. Additionally, administrators should consider implementing content security policies that limit script execution within the WordPress environment and regularly audit uploaded files for malicious content. The vulnerability demonstrates the importance of proper input validation and output escaping as outlined in the OWASP Top Ten and aligns with ATT&CK technique T1566.001 for malicious file upload and T1059.007 for script execution through web applications. Regular security monitoring and automated scanning of uploaded content should be implemented to detect and prevent similar vulnerabilities from being exploited in the future.