{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12403", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T14:31:31.184Z", "datePublished": "2025-11-04T04:27:23.574Z", "dateUpdated": "2026-04-08T17:33:47.372Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:47.372Z"}, "affected": [{"vendor": "revokee", "product": "Associados Amazon Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Associados Amazon Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8. This is due to missing or incorrect nonce validation on the brzon_admin_panel() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Associados Amazon Plugin <= 0.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f7968054-69f1-47f5-9a32-b124ee1133ce?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/brzon/tags/0.8/brzon.php#L568"}, {"url": "https://plugins.trac.wordpress.org/browser/brzon/tags/0.8/brzon.php#L569"}, {"url": "https://plugins.trac.wordpress.org/browser/brzon/tags/0.8/brzon.php#L589"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-11-03T15:31:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-04T14:58:31.323446Z", "id": "CVE-2025-12403", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T14:58:40.263Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12403", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-04T14:58:31.323446Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T14:58:36.683Z"}}], "cna": {"title": "Associados Amazon Plugin <= 0.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "revokee", "product": "Associados Amazon Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-03T15:31:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f7968054-69f1-47f5-9a32-b124ee1133ce?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/brzon/tags/0.8/brzon.php#L568"}, {"url": "https://plugins.trac.wordpress.org/browser/brzon/tags/0.8/brzon.php#L569"}, {"url": "https://plugins.trac.wordpress.org/browser/brzon/tags/0.8/brzon.php#L589"}], "descriptions": [{"lang": "en", "value": "The Associados Amazon Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8. This is due to missing or incorrect nonce validation on the brzon_admin_panel() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:47.372Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12403", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:47.372Z", "dateReserved": "2025-10-28T14:31:31.184Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-04T04:27:23.574Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Associados Amazon Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8. This is due to missing or incorrect nonce validation on the brzon_admin_panel() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12403", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-04T05:16:12.773", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/brzon/tags/0.8/brzon.php#L568"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/brzon/tags/0.8/brzon.php#L569"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/brzon/tags/0.8/brzon.php#L589"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f7968054-69f1-47f5-9a32-b124ee1133ce?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:53:48.074567+00:00", "value": {"mitigation_remediation": ["Upgrade the Associados Amazon Plugin to the latest available version that implements proper nonce validation or remove the plugin if it is no longer needed", "Apply the patch manually by editing the brzon_admin_panel() function to include a valid nonce check before processing any settings changes", "Implement a web\u2011application firewall rule that blocks unauthorized POST requests to the plugin\u2019s admin panel endpoint to mitigate the risk while awaiting a patch"], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Revokee Associados Amazon Plugin for WordPress, all releases up to and including version 0.8. No specific WordPress core versions are listed, but the plugin must be installed on any WordPress site to be impacted.", "description_and_impact": "The Associados Amazon Plugin contains a missing or incorrect nonce validation in the brzon_admin_panel() function, allowing an attacker to perform Cross\u2011Site Request Forgery. An unauthenticated user can trick a site administrator into clicking a crafted link, leading to the automatic update of plugin settings and the injection of malicious scripts stored in the site database. The resulting stored cross\u2011site scripting can execute inside the browser of any user who visits the affected site. This weakness is classified as CWE\u2011352 and results in a moderate severity vulnerability with potential for broad compromise once a malicious script runs in the admin context.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.1 and an EPSS score of less than 1\u202f%, indicating a relatively low likelihood of exploitation under normal circumstances. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires that an admin user is logged in and falls for a social\u2011engineering prompt, making it easier for attackers to acquire an authenticated session. Although the risk is moderate, the exploitability is low, and only active, active administrators are the primary attack target."}}}}, "created": "2025-11-04T16:33:14.662513+00:00", "updated": "2026-04-21T02:00:12.302353+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}