{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12193", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-24T20:32:48.505Z", "datePublished": "2025-11-08T03:27:48.543Z", "dateUpdated": "2026-04-08T17:04:41.410Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:41.410Z"}, "affected": [{"vendor": "kitae-park", "product": "Mang Board WP", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mp' parameter in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Mang Board WP <= 2.3.1 - Reflected Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8604f1d2-7300-4163-828b-ca17ba53f613?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3388547%40mangboard&new=3388547%40mangboard&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-10-28T01:47:44.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-07T15:19:02.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-10T14:07:28.895633Z", "id": "CVE-2025-12193", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T14:14:53.472Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12193", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-10T14:07:28.895633Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T14:07:29.830Z"}}], "cna": {"title": "Mang Board WP <= 2.3.1 - Reflected Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "kitae-park", "product": "Mang Board WP", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-28T01:47:44.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-07T15:19:02.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8604f1d2-7300-4163-828b-ca17ba53f613?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3388547%40mangboard&new=3388547%40mangboard&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mp' parameter in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:41.410Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12193", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:41.410Z", "dateReserved": "2025-10-24T20:32:48.505Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-08T03:27:48.543Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mp' parameter in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "id": "CVE-2025-12193", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-08T04:15:45.223", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3388547%40mangboard&new=3388547%40mangboard&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8604f1d2-7300-4163-828b-ca17ba53f613?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:29:53.829347+00:00", "value": {"mitigation_remediation": ["Update the Mang Board WP plugin to the latest version that includes the XSS fix, or uninstall the plugin if it is not required.", "If an update is unavailable, block or sanitize the 'mp' parameter at the application layer, ensuring it is properly escaped before rendering.", "Deploy a web application firewall or security plugin that intercepts unexpected script input and blocks cross\u2011site scripting payloads."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site\u202fScripting"}, "threat_synthesis": {"affected_systems": "All installations of the Mang Board WP WordPress plugin up to and including version 2.3.1 are affected. Users running older releases of the plugin should verify their version and consider upgrading or disabling the plugin entirely.", "description_and_impact": "The Mang Board WP plugin is vulnerable to reflected cross\u2011site scripting due to inadequate sanitization of the 'mp' request parameter. An attacker can embed malicious JavaScript into a crafted URL, which the plugin outputs without proper escaping. When a user follows the link, the script executes in their browser, potentially allowing session hijacking, defacement, or phishing attacks. The weakness is classified as CWE\u201179.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.1, indicating a moderate severity, and an EPSS score of less than 1\u202f%, suggesting a low likelihood of exploitation at this time. It is not listed in CISA\u2019s KEV catalog. The attack vector is inferred to be an unauthenticated user visiting a specially crafted URL containing malicious payloads; the impact is confined to the victim\u2019s browser session rather than server\u2011side compromise. The most probable exploitation scenario involves phishing or link\u2011bait campaigns targeting unsuspecting users of affected WordPress sites."}}}}, "created": "2025-11-10T09:33:36.066608+00:00", "updated": "2026-04-22T12:30:16.837833+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}