CVE-2025-1529: 
WordPress vulnerability analysis and mitigation

The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via uploaded lottie files in versions up to and including 3.5.3. This vulnerability was discovered and disclosed on May 1, 2025 (NVD Database).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's file upload functionality. This security flaw allows authenticated users with Author-level access and above to inject arbitrary web scripts through uploaded lottie files. The injected scripts will execute whenever a user accesses the affected page. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD Database).

The vulnerability allows authenticated attackers with Author-level privileges to inject malicious scripts that execute in users' browsers when they visit pages containing the compromised lottie files. This could lead to various attacks including cookie theft, session hijacking, or other client-side attacks (NVD Database).

The vulnerability has been patched in version 3.5.4 of the AM LottiePlayer plugin. Site administrators are strongly advised to update to this version immediately. The fix can be found in the WordPress plugin repository (WordPress Plugin).