{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12124", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-23T18:24:25.580Z", "datePublished": "2025-12-05T05:31:20.945Z", "dateUpdated": "2026-04-08T16:33:40.545Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:40.545Z"}, "affected": [{"vendor": "kevindees", "product": "FitVids for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "FitVids for WordPress <= 4.0.1 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/063a245d-bd9e-49ac-bdf0-549a25eba9fe?source=cve"}, {"url": "https://wordpress.org/plugins/fitvids-for-wordpress/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-12-04T17:28:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T15:40:17.131996Z", "id": "CVE-2025-12124", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T15:41:56.273Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12124", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T15:40:17.131996Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T15:40:58.017Z"}}], "cna": {"title": "FitVids for WordPress <= 4.0.1 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "kevindees", "product": "FitVids for WordPress", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T17:28:48.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/063a245d-bd9e-49ac-bdf0-549a25eba9fe?source=cve"}, {"url": "https://wordpress.org/plugins/fitvids-for-wordpress/"}], "descriptions": [{"lang": "en", "value": "The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-05T05:31:20.945Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12124", "state": "PUBLISHED", "dateUpdated": "2025-12-05T15:41:56.273Z", "dateReserved": "2025-10-23T18:24:25.580Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T05:31:20.945Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-12124", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T06:16:05.207", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/fitvids-for-wordpress/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/063a245d-bd9e-49ac-bdf0-549a25eba9fe?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:56:16.309105+00:00", "value": {"mitigation_remediation": ["Update the FitVids for WordPress plugin to version 4.0.2 or newer to apply the input sanitization fix.", "If an update is not immediately possible, deactivate the plugin until a patch is applied to prevent further XSS payloads from being stored.", "Review the list of administrators and remove or downgrade any accounts that do not require administrative privileges, limiting the number of users who can inject scripts."], "summary": {"action": "Patch", "impact": "Stored Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the FitVids for WordPress plugin version 4.0.1 or earlier. The issue is limited to multisit installations and those where the unfiltered_html option is disabled, as only the former can store malicious scripts via the settings page.", "description_and_impact": "The FitVids plugin for WordPress 4.0.1 or earlier stores unsanitized input from the admin settings, allowing an authenticated administrator to inject arbitrary JavaScript into content that is rendered to all users. The flaw can lead to theft of credentials, session hijacking, or defacement when any site visitor loads a page that contains the injected code.", "risk_and_exploitability": "The CVSS score of 4.4 indicates low\u2011to\u2011moderate severity, and the EPSS score of <1% shows a very small chance of exploitation. The vulnerability is not in the CISA KEV catalog, suggesting it is not a known exploited vulnerability. An attacker must be a site administrator or higher to use the flaw; once injected, the script runs for any visitor, creating a persistent attack surface that could lead to credential theft or defacement."}}}}, "created": "2025-12-05T10:51:58.607032+00:00", "updated": "2026-04-22T21:00:06.370820+00:00", "vendors": ["kenvindees", "kenvindees$PRODUCT$fitvids_for_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}