Malicious code in @antv/g-lottie-player (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

EUVD-2025-12123

Malicious code in bioql PyPI...

PT-2025-18380 · WordPress · Lottie Player

Name of the Vulnerable Software and Affected Versions: AM LottiePlayer plugin for WordPress versions up to, and including, 3.5.3 Description: The issue is related to Stored Cross-Site Scripting via uploaded lottie files due to insufficient input sanitization and output escaping. This allows...

CVE-2025-2579

The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to...

CVE-2025-2579

The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to...

CVE-2025-2579 Lottie Player <= 1.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload

The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to...

CVE-2025-2579 Lottie Player <= 1.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload

The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to...

CVE-2025-2579

CVE-2025-2579 (Lottie Player for WordPress) : The plugin versions up to 1.1.8 are vulnerable to Stored Cross-Site Scripting via file uploads due to insufficient input sanitization/output escaping. Exploitation requires authenticated access at Author level or higher, enabling injection of scripts ...

PT-2025-17710 · WordPress · Lottie Player

Name of the Vulnerable Software and Affected Versions: Lottie Player plugin for WordPress versions up to, and including, 1.1.8 Description: The issue is related to Stored Cross-Site Scripting via File uploads due to insufficient input sanitization and output escaping. This allows authenticated...

WordPress plugin Lottie Player 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

WordPress Lottie Player plugin <= 1.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload vulnerability

Authenticated Author+ Stored Cross-Site Scripting via File Upload vulnerability discovered by Avraham Shemesh in WordPress Plugin Lottie Player block - Implement Lottie animations. versions = 1.1.8...

Malicious code in @lottiefiles/lottie-player (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security faa879b0fa360852899250846599b4b81d442b942d5e4fec4101044400272af1 The NPM package @lottiefiles/lottie-player had unauthorized new versions published that contained malicious code. The malicious code...

MAL-2024-10301 Malicious code in @lottiefiles/lottie-player (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security faa879b0fa360852899250846599b4b81d442b942d5e4fec4101044400272af1 The NPM package @lottiefiles/lottie-player had unauthorized new versions published that contained malicious code. The malicious code...

Supply chain attack on lottie-player: everything you need to know

Supply chain attack in popular lottie-player library compromises websites with malicious Web3 wallet prompts – update or revert the library to avoid the compromised versions...

Malicious code in fk-react-lottie-player (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 33691a695b98097014a383d3aaf0e290cf4b6c6793c824ab4324aebe7ea66e3c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...