{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11872", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-16T16:00:31.227Z", "datePublished": "2025-10-22T08:27:03.669Z", "dateUpdated": "2026-04-08T16:33:49.315Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:49.315Z"}, "affected": [{"vendor": "mcostales84", "product": "Material Design Iconic Font Integration", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Material Design Iconic Font Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdiconic' shortcode in all versions up to, and including, 2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Material Design Iconic Font Integration <= 2 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06c1dc58-483e-49f7-aff0-e5a1e70bb149?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/material-design-iconic-font-integration/tags/2/md-iconic-font-integration.php#L46"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-10-21T20:21:38.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-22T15:44:44.037277Z", "id": "CVE-2025-11872", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T15:45:02.861Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11872", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-22T15:44:44.037277Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T15:44:57.740Z"}}], "cna": {"title": "Material Design Iconic Font Integration <= 2 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mcostales84", "product": "Material Design Iconic Font Integration", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-21T20:21:38.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06c1dc58-483e-49f7-aff0-e5a1e70bb149?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/material-design-iconic-font-integration/tags/2/md-iconic-font-integration.php#L46"}], "descriptions": [{"lang": "en", "value": "The Material Design Iconic Font Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdiconic' shortcode in all versions up to, and including, 2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:49.315Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11872", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:33:49.315Z", "dateReserved": "2025-10-16T16:00:31.227Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-22T08:27:03.669Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Material Design Iconic Font Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdiconic' shortcode in all versions up to, and including, 2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11872", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-22T09:15:35.490", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/material-design-iconic-font-integration/tags/2/md-iconic-font-integration.php#L46"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06c1dc58-483e-49f7-aff0-e5a1e70bb149?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T23:36:50.061756+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to the latest release, which implements proper input sanitization and output escaping to mitigate the stored XSS flaw.", "If an upgrade is not immediately possible, restrict or remove the Contributor role from users who are allowed to edit the shortcode or prevent the shortcode from processing attributes containing script tags.", "As a temporary workaround, configure the site\u2019s security plugins or server settings to strip JavaScript from content stored via the plugin, or block use of the plugin entirely until a patched version is available."], "summary": {"action": "Apply patch", "impact": "Stored Cross\u2011Site Scripting (CWE\u201179)"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the mcostales84:Material Design Iconic Font Integration WordPress plugin for all releases through version 2. Users running any of those releases are susceptible to exploitation.", "description_and_impact": "The Material Design Iconic Font Integration plugin for WordPress includes a shortcode that accepts user\u2011supplied attributes without proper sanitization or escaping. This flaw enables authenticated users with contributor or higher privileges to embed arbitrary JavaScript code into pages. Once injected, the scripts execute whenever any visitor loads the affected page, potentially compromising user sessions, stealing data, or defacing content.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity. The EPSS score of less than 1% signals a low probability of exploitation underway, and the vulnerability has not been listed in the CISA KEV catalog. Attackers must first be authenticated with contributor level or better and must inject malicious payloads via the shortcode\u2019s attributes; the code is then stored and served to site visitors, making the threat a typical stored XSS event."}}}}, "created": "2025-10-23T10:07:56.622740+00:00", "updated": "2026-04-27T23:45:15.888902+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}