{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12354", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-27T15:17:32.188Z", "datePublished": "2025-12-05T06:07:18.677Z", "dateUpdated": "2026-04-08T16:47:59.035Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:59.035Z"}, "affected": [{"vendor": "dojodigital", "product": "Live CSS Preview", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting."}], "title": "Live CSS Preview <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ebaadf6-5085-4f2d-a377-34e318351449?source=cve"}, {"url": "https://wordpress.org/plugins/live-css-preview/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3445161%40live-css-preview&new=3445161%40live-css-preview&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2026-01-15T17:23:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-04T17:36:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T13:43:18.366391Z", "id": "CVE-2025-12354", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T13:45:19.544Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12354", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T13:43:18.366391Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T13:45:16.497Z"}}], "cna": {"title": "Live CSS Preview <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "dojodigital", "product": "Live CSS Preview", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-15T17:23:06.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-04T17:36:29.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ebaadf6-5085-4f2d-a377-34e318351449?source=cve"}, {"url": "https://wordpress.org/plugins/live-css-preview/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3445161%40live-css-preview&new=3445161%40live-css-preview&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:59.035Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12354", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:47:59.035Z", "dateReserved": "2025-10-27T15:17:32.188Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T06:07:18.677Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting."}], "id": "CVE-2025-12354", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T07:16:10.413", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3445161%40live-css-preview&new=3445161%40live-css-preview&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/live-css-preview/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ebaadf6-5085-4f2d-a377-34e318351449?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:39:01.998652+00:00", "value": {"mitigation_remediation": ["Upgrade the Live CSS Preview plugin to version 2.1.5 or later, if available.", "If a newer version is not available, disable the 'wp_ajax_frontend_save' AJAX action through custom code or a plugin that restricts access to that endpoint.", "Restrict Subscriber-level users from having the capability to edit CSS settings by modifying WordPress role capabilities or using a role\u2011management plugin."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized configuration change"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Live CSS Preview plugin by Dojo Digital for WordPress versions up to and including 2.1.4. Any WordPress site running one of these versions is a potential target.", "description_and_impact": "The Live CSS Preview plugin for WordPress contains a missing capability check on its AJAX endpoint 'wp_ajax_frontend_save'. This vulnerability allows an authenticated user with Subscriber-level access or higher to modify the plugin's CSS settings without proper authorization. The flaw results in unauthorized alteration of configuration data, which could be used to affect site appearance or embed malicious code, representing a potential data integrity issue.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that exploitation is unlikely but still possible, especially to users who can log in as a Subscriber or higher. The flaw is not listed in CISA's KEV catalog, meaning no confirmed exploitation has been reported. The likely attack vector is a web-based authenticated request to the vulnerable AJAX endpoint, where an attacker can change the CSS settings by supplying the required parameters."}}}}, "created": "2025-12-05T20:56:24.404327+00:00", "updated": "2026-04-22T12:00:05.908262+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}