Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-aczk-v28c-zqb5

Summary The twinklesmtp – Email Service Provider For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's sender settings in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Aliases

alias	CVE-2025-14887

Fixed_packages

Affected_packages

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-14887

reference_id

reference_type

scores

value	0.0002
scoring_system	epss
scoring_elements	0.05788
published_at	2026-06-11T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.0579
published_at	2026-06-14T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05801
published_at	2026-06-13T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05809
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-14887

reference_url

https://www.wordfence.com/threat-intel/vulnerabilities/id/223d62cc-61ee-4818-9521-a772c1d57d59?source=cve

reference_id

223d62cc-61ee-4818-9521-a772c1d57d59?source=cve

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-07T14:52:24Z/

url

https://www.wordfence.com/threat-intel/vulnerabilities/id/223d62cc-61ee-4818-9521-a772c1d57d59?source=cve

reference_url

https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L32

reference_id

default.php#L32

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-07T14:52:24Z/

url

https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L32

reference_url

https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L36

reference_id

default.php#L36

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-07T14:52:24Z/

url

https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L36

reference_url

https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L46

reference_id

default.php#L46

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-07T14:52:24Z/

url

https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L46

reference_url

https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L50

reference_id

default.php#L50

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-07T14:52:24Z/

url

https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L50

reference_url

https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L84

reference_id

default.php#L84

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-07T14:52:24Z/

url

https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L84

reference_url

https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L88

reference_id

default.php#L88

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-07T14:52:24Z/

url

https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L88

Weaknesses

cwe_id	79
name	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
description	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Exploits

Severity_range_score 4.4 - 4.4

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-aczk-v28c-zqb5

Vulnerability Instance