{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12077", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-22T15:08:56.774Z", "datePublished": "2025-12-13T04:31:31.376Z", "dateUpdated": "2026-04-08T17:17:26.473Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:26.473Z"}, "affected": [{"vendor": "f1logic", "product": "WP to LinkedIn Auto Publish", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.9.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP to LinkedIn Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "WP to LinkedIn Auto Publish <= 1.9.8 - Reflected Cross-Site Scripting via PostMessage", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b680132a-f397-4636-98b2-bcd8c168e822?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/linkedin-auto-publish/trunk/js/notice.js"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412103%40linkedin-auto-publish&new=3412103%40linkedin-auto-publish&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nicolai Hellesnes"}], "timeline": [{"time": "2025-12-12T15:28:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:43:11.011488Z", "id": "CVE-2025-12077", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:47:10.676Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12077", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:43:11.011488Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:43:12.247Z"}}], "cna": {"title": "WP to LinkedIn Auto Publish <= 1.9.8 - Reflected Cross-Site Scripting via PostMessage", "credits": [{"lang": "en", "type": "finder", "value": "Nicolai Hellesnes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "f1logic", "product": "WP to LinkedIn Auto Publish", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.9.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T15:28:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b680132a-f397-4636-98b2-bcd8c168e822?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/linkedin-auto-publish/trunk/js/notice.js"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412103%40linkedin-auto-publish&new=3412103%40linkedin-auto-publish&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WP to LinkedIn Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:26.473Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12077", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:26.473Z", "dateReserved": "2025-10-22T15:08:56.774Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T04:31:31.376Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP to LinkedIn Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "id": "CVE-2025-12077", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:46.063", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/linkedin-auto-publish/trunk/js/notice.js"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412103%40linkedin-auto-publish&new=3412103%40linkedin-auto-publish&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b680132a-f397-4636-98b2-bcd8c168e822?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:48:19.286801+00:00", "value": {"mitigation_remediation": ["Upgrade the WP to LinkedIn Auto Publish plugin to a version newer than 1.9.8 if one is available. ", "If no update is available, disable or uninstall the plugin until a patch is released. ", "Implement a site\u2011wide content security policy that restricts inline script execution and restricts script sources to trusted domains to mitigate the impact of any remaining reflected XSS attacks."], "summary": {"action": "Update Plugin", "impact": "Client-side script execution (XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of the WP to LinkedIn Auto Publish plugin up to and including version 1.9.8. Any WordPress site that has installed this plugin and has not upgraded beyond 1.9.8 is potentially impacted. No specific WordPress core versions are cited as affected; the issue resides solely within the plugin code.", "description_and_impact": "The WP to LinkedIn Auto Publish WordPress plugin contains a reflected cross\u2011site scripting vulnerability caused by insufficient input sanitization and output escaping in a PostMessage handler. An unauthenticated attacker can supply a crafted link that, when a user clicks it, injects arbitrary JavaScript into the page the user views. The injected script runs inside the victim\u2019s browser session, allowing the attacker to steal cookies, hijack the user\u2019s session, or perform other malicious actions on the website without the need for credentials.", "risk_and_exploitability": "With a CVSS score of 6.1, the risk is moderate. The EPSS score of less than 1% indicates that the probability of active exploitation is low at present, and the vulnerability is not currently listed in the CISA KEV catalog. Because exploitation requires the victim to interact with a malicious link, the attack vector is user\u2011initiated; an attacker would need to compel the user to click, for example, through phishing or social engineering. Nevertheless, the potential impact on user sessions warrants timely remediation."}}}}, "created": "2025-12-14T21:14:44.342734+00:00", "updated": "2026-04-21T01:00:12.941057+00:00", "vendors": ["f1logic", "f1logic$PRODUCT$wp_to_linkedin_auto_publish", "wordpress", "wordpress$PRODUCT$wordpress"]}