{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12135", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-23T20:58:43.149Z", "datePublished": "2025-11-21T07:31:51.599Z", "dateUpdated": "2026-04-08T17:02:55.575Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:55.575Z"}, "affected": [{"vendor": "iqonicdesign", "product": "WPBookit", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'css_code' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the save_custome_code() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WPBookit <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d7b2c79-c4f7-4611-a22a-685d4421a4ab?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes-handler.php#L15"}, {"url": "https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes.php#L118"}, {"url": "https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/controllers/class.wpb-setting-controller.php#L16"}, {"url": "https://github.com/d0n601/CVE-2025-12135"}, {"url": "https://ryankozak.com/posts/cve-2025-12135/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398463%40wpbookit&new=3398463%40wpbookit&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ryan Kozak"}], "timeline": [{"time": "2025-10-23T21:14:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-20T18:42:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-24T16:39:16.603500Z", "id": "CVE-2025-12135", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T18:05:38.396Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12135", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-24T16:39:16.603500Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T16:41:21.848Z"}}], "cna": {"title": "WPBookit <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Ryan Kozak"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "iqonicdesign", "product": "WPBookit", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-23T21:14:06.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-20T18:42:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d7b2c79-c4f7-4611-a22a-685d4421a4ab?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes-handler.php#L15"}, {"url": "https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes.php#L118"}, {"url": "https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/controllers/class.wpb-setting-controller.php#L16"}, {"url": "https://github.com/d0n601/CVE-2025-12135"}, {"url": "https://ryankozak.com/posts/cve-2025-12135/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398463%40wpbookit&new=3398463%40wpbookit&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'css_code' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the save_custome_code() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:55.575Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12135", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:02:55.575Z", "dateReserved": "2025-10-23T20:58:43.149Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T07:31:51.599Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'css_code' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the save_custome_code() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12135", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-21T08:15:52.717", "references": [{"source": "security@wordfence.com", "url": "https://github.com/d0n601/CVE-2025-12135"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes-handler.php#L15"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes.php#L118"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/controllers/class.wpb-setting-controller.php#L16"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398463%40wpbookit&new=3398463%40wpbookit&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://ryankozak.com/posts/cve-2025-12135/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d7b2c79-c4f7-4611-a22a-685d4421a4ab?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:49:44.177508+00:00", "value": {"mitigation_remediation": ["Upgrade the WPBookit plugin to the latest version where the capability check has been added.", "If an upgrade is not immediately possible, temporarily disable the custom CSS feature or uninstall the WPBookit plugin until a patched version is available.", "Monitor user sessions for signs of XSS exploitation and ensure the rest of the WordPress installation (core, themes, other plugins) is up to date to reduce the overall attack surface."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WPBookit plugin from iqonicdesign, any version up to and including 1.0.6, are affected.", "description_and_impact": "The WPBookit plugin contains a stored cross\u2011site scripting flaw caused by the lack of a capability check in the save_custome_code() function. Externally supplied data passed via the css_code parameter is persisted and rendered without proper sanitization, allowing an unauthenticated attacker to inject arbitrary JavaScript that will execute whenever a user views a page using the affected code.", "risk_and_exploitability": "With a CVSS score of 7.2 the vulnerability is classified as high severity. The EPSS score is below 1%, indicating a low current exploitation probability, and the condition is not present in the CISA KEV catalog. Attackers do not need any authentication or elevated privileges; they simply supply malicious content in the css_code field, which is then stored and later rendered to all site visitors. The tendency to remain unauthenticated on affected sites puts all visitors at risk of executing injected scripts."}}}}, "created": "2025-11-24T09:09:38.822192+00:00", "updated": "2026-04-22T13:00:09.728539+00:00", "vendors": ["iqonicdesign", "iqonicdesign$PRODUCT$wpbookit", "wordpress", "wordpress$PRODUCT$wordpress"]}