Details of VAR-202506-2291

ID

VAR-202506-2291

CVE

CVE-2025-4216

TITLE

WordPress DIOT SCADA with MQTT plugin cross-site scripting vulnerability

Trust: 0.6

sources: CNVD: CNVD-2025-13890

DESCRIPTION

The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress plugin is an application plugin. The WordPress DIOT SCADA with MQTT plugin has a cross-site scripting vulnerability. The vulnerability is caused by the lack of effective filtering and escaping of user-supplied data in the application

Trust: 1.44

sources: NVD: CVE-2025-4216 // CNVD: CNVD-2025-13890

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-13890

AFFECTED PRODUCTS

vendor:

wordpress

model:

diot scada with mqtt plugin

scope:

lte

version:

<=1.0.5.1

Trust: 0.6

sources: CNVD: CNVD-2025-13890

CVSS

SEVERITY

CVSSV2

CVSSV3

security@wordfence.com:	CVE-2025-4216
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2025-13890
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2025-13890
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

security@wordfence.com:	CVE-2025-4216
baseSeverity:	MEDIUM
baseScore:	6.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.1
impactScore:	2.7
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2025-13890 // NVD: CVE-2025-4216

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.0

sources: NVD: CVE-2025-4216

EXTERNAL IDS

db:	NVD	id:	CVE-2025-4216	Trust: 1.6
db:	CNVD	id:	CNVD-2025-13890	Trust: 0.6

sources: CNVD: CNVD-2025-13890 // NVD: CVE-2025-4216

REFERENCES

url:	https://plugins.trac.wordpress.org/browser/ecava-diot-scada/trunk/includes/shortcodes.php	Trust: 1.6
url:	https://www.wordfence.com/threat-intel/vulnerabilities/id/1cf23d79-5bd3-4224-835d-174653ddd504?source=cve	Trust: 1.0

sources: CNVD: CNVD-2025-13890 // NVD: CVE-2025-4216

SOURCES

db:	CNVD	id:	CNVD-2025-13890
db:	NVD	id:	CVE-2025-4216

LAST UPDATE DATE

2025-07-04T23:38:01.455000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-13890	date:	2025-06-27T00:00:00
db:	NVD	id:	CVE-2025-4216	date:	2025-06-16T12:32:18.840

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-13890	date:	2025-06-27T00:00:00
db:	NVD	id:	CVE-2025-4216	date:	2025-06-14T09:15:23.160