{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12400", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T14:22:41.199Z", "datePublished": "2025-11-04T04:27:17.374Z", "dateUpdated": "2026-04-08T16:59:42.712Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:42.712Z"}, "affected": [{"vendor": "lmbbox", "product": "LMB^Box Smileys", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LMB^Box Smileys plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2. This is due to missing or incorrect nonce validation on the manage_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "LMB^Box Smileys <= 3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e80e3ac-331a-480f-94ca-06d62230cd80?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lmbbox-smileys/tags/3.2/lmbbox-smileys.php#L318"}, {"url": "https://plugins.trac.wordpress.org/browser/lmbbox-smileys/tags/3.2/lmbbox-smileys.php#L426"}, {"url": "https://plugins.trac.wordpress.org/browser/lmbbox-smileys/tags/3.2/lmbbox-smileys.php#L890"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-11-03T16:03:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-04T16:47:05.685794Z", "id": "CVE-2025-12400", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T16:47:13.869Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12400", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-04T16:47:05.685794Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T16:47:09.327Z"}}], "cna": {"title": "LMB^Box Smileys <= 3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "lmbbox", "product": "LMB^Box Smileys", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-03T16:03:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e80e3ac-331a-480f-94ca-06d62230cd80?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lmbbox-smileys/tags/3.2/lmbbox-smileys.php#L318"}, {"url": "https://plugins.trac.wordpress.org/browser/lmbbox-smileys/tags/3.2/lmbbox-smileys.php#L426"}, {"url": "https://plugins.trac.wordpress.org/browser/lmbbox-smileys/tags/3.2/lmbbox-smileys.php#L890"}], "descriptions": [{"lang": "en", "value": "The LMB^Box Smileys plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2. This is due to missing or incorrect nonce validation on the manage_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:42.712Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12400", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:42.712Z", "dateReserved": "2025-10-28T14:22:41.199Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-04T04:27:17.374Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LMB^Box Smileys plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2. This is due to missing or incorrect nonce validation on the manage_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12400", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-04T05:16:12.360", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lmbbox-smileys/tags/3.2/lmbbox-smileys.php#L318"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lmbbox-smileys/tags/3.2/lmbbox-smileys.php#L426"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lmbbox-smileys/tags/3.2/lmbbox-smileys.php#L890"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e80e3ac-331a-480f-94ca-06d62230cd80?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:47:05.447490+00:00", "value": {"mitigation_remediation": ["Upgrade the LMB^Box Smileys plugin to a version that includes the nonce validation fix (any release newer than 3.2).", "If an upgrade is not available, remove the plugin entirely to eliminate the attack surface.", "Educate administrators to recognize unexpected links or forms that could facilitate CSRF, and implement additional web\u2011application firewalls or content\u2011security policies to mitigate XSS payloads."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "Hosts running the LMB^Box Smileys plugin for WordPress with any version up to and including 3.2 are affected. The vulnerability applies to all installations of the plugin that have not yet been upgraded beyond that version threshold.", "description_and_impact": "The LMB^Box Smileys plugin for WordPress contains a missing nonce validation in its manage_page() function, enabling a Cross\u2011Site Request Forgery (CSRF) attack. An unauthenticated attacker can forge a request that appears to come from an administrator and change plugin settings, injecting arbitrary web scripts that are stored and later executed by the site. The impact is the introduction of stored XSS, which can compromise administrator credentials, allow session hijacking, or deliver malicious payloads to site visitors.", "risk_and_exploitability": "The CVSS score of 6.1 signifies a moderate severity, while the EPSS score of less than 1% indicates a very low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to social\u2011engineer a site administrator into clicking a crafted link that submits the forged request, making the attack vector largely manual but potentially effective against unaware administrators."}}}}, "created": "2025-11-04T16:33:12.897793+00:00", "updated": "2026-04-22T12:00:05.919555+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}