{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12034", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-21T17:36:37.692Z", "datePublished": "2025-10-25T06:49:20.557Z", "dateUpdated": "2026-04-08T16:38:23.899Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:23.899Z"}, "affected": [{"vendor": "alignak", "product": "Fast Velocity Minify", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Fast Velocity Minify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Fast Velocity Minify <= 3.5.1 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c02e03a-7f96-4efa-9071-4a76fb21900d?source=cve"}, {"url": "https://github.com/peixotorms/fast-velocity-minify/commit/55a8b53a2ec6d358f8d7ad181170b9d8112e78ab"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3383015%40fast-velocity-minify&new=3383015%40fast-velocity-minify&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Cody Sixteen"}], "timeline": [{"time": "2025-10-23T01:50:51.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-24T18:28:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:54:38.955807Z", "id": "CVE-2025-12034", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:54:50.525Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12034", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T15:54:38.955807Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:54:44.079Z"}}], "cna": {"title": "Fast Velocity Minify <= 3.5.1 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Cody Sixteen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "alignak", "product": "Fast Velocity Minify", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.5.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-23T01:50:51.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-24T18:28:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c02e03a-7f96-4efa-9071-4a76fb21900d?source=cve"}, {"url": "https://github.com/peixotorms/fast-velocity-minify/commit/55a8b53a2ec6d358f8d7ad181170b9d8112e78ab"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3383015%40fast-velocity-minify&new=3383015%40fast-velocity-minify&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Fast Velocity Minify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:23.899Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12034", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:38:23.899Z", "dateReserved": "2025-10-21T17:36:37.692Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T06:49:20.557Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Fast Velocity Minify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-12034", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-25T07:15:40.930", "references": [{"source": "security@wordfence.com", "url": "https://github.com/peixotorms/fast-velocity-minify/commit/55a8b53a2ec6d358f8d7ad181170b9d8112e78ab"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3383015%40fast-velocity-minify&new=3383015%40fast-velocity-minify&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c02e03a-7f96-4efa-9071-4a76fb21900d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T23:33:51.157245+00:00", "value": {"mitigation_remediation": ["Upgrade Fast Velocity Minify to a version that includes the stored XSS fix.", "If an update is not available, temporarily disable or delete the plugin on all sites to eliminate the attack surface.", "If disabling is not feasible, restrict access to the plugin\u2019s admin settings to trusted administrators only and review existing settings for any injected code, removing any suspicious scripts before they are rendered to other users."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting by authenticated administrators"}, "threat_synthesis": {"affected_systems": "All WordPress installations that run Fast Velocity Minify version 3.5.1 or earlier are affected. The vulnerability applies only to multi\u2011site networks or installations where the unfiltered_html capability has been disabled. Only administrators can insert the malicious payload, but all visitors to a page that renders the plugin\u2019s settings are exposed to the injected script.", "description_and_impact": "The Fast Velocity Minify plugin for WordPress contains a stored Cross\u2011Site Scripting (CWE\u201179) vulnerability caused by insufficient input sanitization and output escaping in its admin settings. When an administrator injects malicious JavaScript, it is permanently stored and executes automatically whenever a user accesses a page that includes the injected setting. Attackers must first have administrator\u2011level or higher credentials to inject the code, and the flaw exists in all versions up to and including 3.5.1.", "risk_and_exploitability": "The CVSS score of 4.4 indicates moderate severity, while the EPSS score of less than 1\u202f% suggests a relatively low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is authenticated exploitation through the plugin\u2019s admin settings, and the injected script will run on every user who visits an affected page. The flaw does not provide system\u2011wide compromise beyond the pages rendered by the plugin."}}}}, "created": "2025-10-27T22:10:17.916066+00:00", "updated": "2026-04-27T23:45:15.882805+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}