{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12096", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-22T20:31:10.323Z", "datePublished": "2025-10-24T08:23:59.609Z", "dateUpdated": "2026-04-08T16:56:11.924Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:11.924Z"}, "affected": [{"vendor": "prawas", "product": "Simple Excel Pricelist for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple Excel Pricelist for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pricelist' shortcode in all versions up to, and including, 1.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Simple Excel Pricelist for WooCommerce <= 1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e7fa38f-26ef-4011-af18-c18883159425?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-excel-pricelist-for-woocommerce/trunk/classes/sepwWorker.php#L176"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-10-23T19:42:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-24T12:26:44.407146Z", "id": "CVE-2025-12096", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-24T12:26:56.359Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12096", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-24T12:26:44.407146Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-24T12:26:52.019Z"}}], "cna": {"title": "Simple Excel Pricelist for WooCommerce <= 1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "prawas", "product": "Simple Excel Pricelist for WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.13"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-23T19:42:19.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e7fa38f-26ef-4011-af18-c18883159425?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-excel-pricelist-for-woocommerce/trunk/classes/sepwWorker.php#L176"}], "descriptions": [{"lang": "en", "value": "The Simple Excel Pricelist for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pricelist' shortcode in all versions up to, and including, 1.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-24T08:23:59.609Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12096", "state": "PUBLISHED", "dateUpdated": "2025-10-24T12:26:56.359Z", "dateReserved": "2025-10-22T20:31:10.323Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-24T08:23:59.609Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple Excel Pricelist for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pricelist' shortcode in all versions up to, and including, 1.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12096", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-24T09:15:44.917", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-excel-pricelist-for-woocommerce/trunk/classes/sepwWorker.php#L176"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e7fa38f-26ef-4011-af18-c18883159425?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:47:28.068924+00:00", "value": {"mitigation_remediation": ["Upgrade to Simple Excel Pricelist for WooCommerce version\u202f1.14 or later, where the input sanitization bug has been fixed.", "If an immediate update is not possible, disable the \u2018pricelist\u2019 shortcode by removing all related shortcode tags from existing posts or by implementing a filter that strips the shortcode before rendering, or use a security plugin (e.g., Wordfence or iThemes Security) to block unsanitary shortcode usage.", "Restrict the Contributor role to the minimum necessary permissions or employ a role\u2011management plugin to limit who can publish content containing shortcodes."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting accessible to authenticated users with Contributor level or higher"}, "threat_synthesis": {"affected_systems": "All WordPress sites that install the Simple Excel Pricelist for WooCommerce plugin from prawas, version 1.13 or earlier, are affected. The issue appears in every release up to and including 1.13, regardless of other site configuration or plugins.", "description_and_impact": "The Simple Excel Pricelist for WooCommerce plugin has a stored cross\u2011site scripting flaw that allows an authenticated Contributor or higher to insert malicious scripts into pages using the \u2018pricelist\u2019 shortcode. Because the plugin does not sanitize or escape user supplied attributes, the attacker\u2019s input can be stored and executed in the context of any user who views a page containing the shortcode. Since the vulnerability only requires the attacker to have at least Contributor permissions and to edit or create posts, it does not rely on external network access. Based on the description, it is inferred that the injected JavaScript could be used for session hijacking, credential theft, or defacement, patterns typical of XSS exploits.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates moderate severity and the EPSS score of less than 1\u202f% shows that real\u2011world exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires the attacker to possess at least Contributor level access to edit content and to craft the malicious shortcode payload; once the payload is stored, it will execute for every visitor to the affected page. The likely attack vector is via the \u2018pricelist\u2019 shortcode embedded in post content."}}}}, "created": "2025-10-27T22:13:14.322598+00:00", "updated": "2026-04-22T17:00:12.307075+00:00", "vendors": ["prawas", "prawas$PRODUCT$simple_excel_pricelist_for_woocommerce", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}