CVE-2025-1529: 
WordPress vulnerability analysis and mitigation

The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via uploaded lottie files in versions up to and including 3.5.3. This vulnerability was discovered and disclosed on May 1, 2025. The vulnerability affects the file upload functionality of the plugin and impacts WordPress installations using the affected versions (NVD Database, Wiz Report).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's file upload functionality. This security flaw allows authenticated users with Author-level access and above to inject arbitrary web scripts through uploaded lottie files. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD Database).

The vulnerability allows authenticated attackers with Author-level privileges to inject malicious scripts that execute in users' browsers when they visit pages containing the compromised lottie files. This could lead to various attacks including cookie theft, session hijacking, or other client-side attacks (Wiz Report).

The vulnerability has been patched in version 3.5.4 of the AM LottiePlayer plugin. Site administrators are strongly advised to update to this version immediately. The fix can be found in the WordPress plugin repository (WordPress Plugin).