{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12412", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T15:34:37.419Z", "datePublished": "2025-11-04T04:27:12.930Z", "dateUpdated": "2026-04-08T16:34:13.704Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:13.704Z"}, "affected": [{"vendor": "josereyev", "product": "Top Bar Notification", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Top Bar Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on th tbn_ajax_add() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Top Bar Notification <= 1.12 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0856f3bf-da17-44bb-aa30-26f9fb6e22b1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/top-bar-notification/tags/1.12/Notification.php#L102"}, {"url": "https://plugins.trac.wordpress.org/browser/top-bar-notification/tags/1.12/Notification.php#L75"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "timeline": [{"time": "2025-11-03T15:32:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-04T20:53:10.044578Z", "id": "CVE-2025-12412", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T20:53:26.807Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12412", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-04T20:53:10.044578Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T20:53:20.883Z"}}], "cna": {"title": "Top Bar Notification <= 1.12 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "josereyev", "product": "Top Bar Notification", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.12"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-03T15:32:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0856f3bf-da17-44bb-aa30-26f9fb6e22b1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/top-bar-notification/tags/1.12/Notification.php#L102"}, {"url": "https://plugins.trac.wordpress.org/browser/top-bar-notification/tags/1.12/Notification.php#L75"}], "descriptions": [{"lang": "en", "value": "The Top Bar Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on th tbn_ajax_add() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:13.704Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12412", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:13.704Z", "dateReserved": "2025-10-28T15:34:37.419Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-04T04:27:12.930Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Top Bar Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on th tbn_ajax_add() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12412", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-04T05:16:13.150", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/top-bar-notification/tags/1.12/Notification.php#L102"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/top-bar-notification/tags/1.12/Notification.php#L75"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0856f3bf-da17-44bb-aa30-26f9fb6e22b1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T23:00:07.112501+00:00", "value": {"mitigation_remediation": ["Upgrade the Top Bar Notification plugin to a version newer than 1.12.", "If upgrading is not immediately possible, deactivate the plugin or remove the th tbn_ajax_add() functionality by editing the plugin file or adding a hook to disallow AJAX requests from unauthenticated users.", "After the upgrade or mitigation, review and reset any plugin settings that may have been altered by the CSRF attack, and verify that no malicious scripts remain in stored content."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "Users of the Top Bar Notification plugin from vendor josereyev, specifically all releases version 1.12 and earlier, are affected. No specific patch levels are listed, but the vulnerability applies to the entire vulnerability window up to and including 1.12.", "description_and_impact": "The Top Bar Notification plugin for WordPress contains a critical flaw where the th tbn_ajax_add() function does not correctly validate the nonce. This missing protection allows an attacker to perform a cross\u2011site request forgery that updates the plugin\u2019s settings and injects malicious scripts into the site\u2019s stored data. The resulting stored cross\u2011site scripting can lead to execution of arbitrary JavaScript in the context of site visitors, potentially compromising user sessions, defacing content, or facilitating further attacks through replayed payloads.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, and the EPSS score being less than 1% suggests a low but non\u2011zero likelihood of exploitation under current threat conditions. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires an unauthenticated attacker to trick a site administrator into triggering the forged AJAX request, typically via a malicious link or phishing email. While the attack surface is restricted to users with administrative privileges, any admin click can activate the stored XSS, making the risk significant for active WordPress sites."}}}}, "created": "2025-11-04T16:33:34.227292+00:00", "updated": "2026-04-27T23:00:14.007324+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}