{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12185", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-24T19:43:22.226Z", "datePublished": "2025-11-27T05:17:38.335Z", "dateUpdated": "2026-04-08T16:49:38.159Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:38.159Z"}, "affected": [{"vendor": "era404", "product": "StaffList", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "StaffList <= 3.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45b9f761-1634-4f70-8c25-956d369cb6d8?source=cve"}, {"url": "https://wordpress.org/plugins/stafflist/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402164%40stafflist&new=3402164%40stafflist&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "timeline": [{"time": "2025-11-05T16:03:15.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-26T16:50:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-03T16:47:04.882922Z", "id": "CVE-2025-12185", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-03T16:47:12.416Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12185", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-03T16:47:04.882922Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-03T16:47:09.814Z"}}], "cna": {"title": "StaffList <= 3.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "era404", "product": "StaffList", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-05T16:03:15.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-26T16:50:37.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45b9f761-1634-4f70-8c25-956d369cb6d8?source=cve"}, {"url": "https://wordpress.org/plugins/stafflist/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402164%40stafflist&new=3402164%40stafflist&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:38.159Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12185", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:49:38.159Z", "dateReserved": "2025-10-24T19:43:22.226Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-27T05:17:38.335Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-12185", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-27T06:15:46.487", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402164%40stafflist&new=3402164%40stafflist&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/stafflist/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45b9f761-1634-4f70-8c25-956d369cb6d8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:41:31.373127+00:00", "value": {"mitigation_remediation": ["Upgrade the StaffList plugin to the latest available version, which removes the input handling error.", "If an upgrade is not possible immediately, re\u2011enable the unfiltered_html filter or otherwise ensure that custom HTML content is not accepted from the plugin\u2019s settings page.", "Harden the WordPress configuration by limiting administrator accounts, applying the principle of least privilege, and monitoring the admin interface for suspicious input submissions."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that install StaffList version 3.2.6 or earlier. Vulnerability appears only on multisite deployments where the unfiltered_html capability has been removed. Administrators or accounts with alphanumeric higher privileges can use the plugin\u2019s settings page to inject scripts. Older or single\u2011site installations, or those with unfiltered_html enabled, are not affected.", "description_and_impact": "The StaffList plugin for WordPress allows authenticated attackers with administrator\u2011level privileges to inject arbitrary JavaScript via the admin settings page. Because the plugin fails to sanitize input and escape output, the injected script is stored and executed whenever any user views the affected page. The flaw only exists when the site is a multi\u2011site installation and the unfiltered_html filter is disabled, limiting the scope to a subset of WordPress configurations, but it still permits the delivery of malicious payloads to all site users.", "risk_and_exploitability": "The CVSS score of 4.4 reflects that the vulnerability is a moderate severity stored XSS that requires authenticated access and a specific site configuration. The EPSS score of < 1% indicates a very low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog, further suggesting limited exploitation activity. The attacker must be able to reach the Admin Settings interface to submit the payload, which reduces the attack surface. Nonetheless, because any authenticated user can exercise admin\u2011level privileges on a multisite platform, the potential impact of the delivered script could be widespread if an admin account is compromised."}}}}, "created": "2025-11-27T16:25:50.077178+00:00", "updated": "2026-04-22T12:00:05.911032+00:00", "vendors": ["era404", "era404$PRODUCT$stafflist", "wordpress", "wordpress$PRODUCT$wordpress"]}