PT-2026-31090 · WordPress · Lottie Player
Alex Thomas
·
Published
2026-04-08
·
Updated
2026-04-13
·
CVE-2025-1794
CVSS v3.1
5.4
Medium
| AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The AM LottiePlayer plugin for WordPress versions up to and including 3.6.0
Description
The AM LottiePlayer plugin for WordPress is susceptible to Stored Cross-Site Scripting through uploaded SVG files. Insufficient input sanitization and output escaping allow authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the affected page.
Recommendations
Update the AM LottiePlayer plugin to a version newer than 3.6.0.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lottie Player