CVE-2025-22142

MEDIUM

NamelessMC < 2.1.3 - Stored Cross-Site Scripting via Custom Profile Field

Title source: llm
STIX 2.1

Description

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In affected versions an admin can add the ability to have users fill out an additional field and users can inject javascript code into it that would be activated once a staffer visits the user's profile on staff panel. As a result an attacker can execute javascript code on the staffer's computer. This issue has been addressed in version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

References (2)

Core 2
Core References

Scores

CVSS v3 5.4
EPSS 0.0027
EPSS Percentile 18.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
namelessmc/nameless < 2.1.3
Published Jan 13, 2025
Tracked Since Feb 18, 2026