{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12128", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-23T18:37:00.960Z", "datePublished": "2025-12-05T05:31:27.548Z", "dateUpdated": "2026-04-08T17:17:24.444Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:24.444Z"}, "affected": [{"vendor": "kaushikankrani", "product": "Hide Categories Or Products On Shop Page", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Hide Categories Or Products On Shop Page <= 1.0.7 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b649266a-6a9a-4d2e-9a82-2335e96bfe0d?source=cve"}, {"url": "https://wordpress.org/plugins/hide-categories-or-products-on-shop-page/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-12-04T16:29:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T14:08:45.711489Z", "id": "CVE-2025-12128", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T14:08:59.178Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12128", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T14:08:45.711489Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T14:08:54.189Z"}}], "cna": {"title": "Hide Categories Or Products On Shop Page <= 1.0.7 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "kaushikankrani", "product": "Hide Categories Or Products On Shop Page", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T16:29:19.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b649266a-6a9a-4d2e-9a82-2335e96bfe0d?source=cve"}, {"url": "https://wordpress.org/plugins/hide-categories-or-products-on-shop-page/"}], "descriptions": [{"lang": "en", "value": "The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-05T05:31:27.548Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12128", "state": "PUBLISHED", "dateUpdated": "2025-12-05T14:08:59.178Z", "dateReserved": "2025-10-23T18:37:00.960Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T05:31:27.548Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12128", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T06:16:05.380", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/hide-categories-or-products-on-shop-page/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b649266a-6a9a-4d2e-9a82-2335e96bfe0d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:08:24.286375+00:00", "value": {"mitigation_remediation": ["Upgrade Hide Categories Or Products On Shop Page to the latest version (\u22651.0.8) to eliminate the CSRF flaw.", "If an immediate upgrade is not feasible, disable the plugin until the patch can be applied to prevent accidental configuration changes.", "Verify that all WordPress core and other plugins are current and that your site\u2019s overall CSRF protection follows best practices, including the use of unique, single\u2011use nonces for state\u2011changing requests."], "summary": {"action": "Patch promptly", "impact": "Unauthorized modification of plugin settings"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin Hide Categories Or Products On Shop Page developed by Kaushik Ankrani. All installed copies running version 1.0.7 or earlier are susceptible. The impact is confined to sites that have the plugin active and rely on its settings to control product visibility.", "description_and_impact": "The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross\u2011Site Request Forgery (CWE\u2011352) caused by missing or incorrect nonce validation in its save_data_hcps() function. This flaw allows an unauthenticated attacker to force an administrator or other privileged user to submit a forged request that updates the plugin\u2019s settings. The resulting configuration changes can hide categories or products on the shop page, potentially altering site functionality, degrading user experience, or creating a denial of service scenario for legitimate users.", "risk_and_exploitability": "With a CVSS score of 4.3, the flaw represents moderate severity. Its EPSS score is below 1\u202f%, indicating a low probability of exploitation in the general population. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a social\u2011engineering scenario where an attacker sends a malicious link to a site administrator, who, without realizing it, performs a state\u2011changing request that the plugin accepts without valid nonce verification. No additional technical requirements beyond tricking a privileged user are needed for exploitation."}}}}, "created": "2025-12-05T10:51:54.695842+00:00", "updated": "2026-04-21T01:15:20.129679+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}