{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12456", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T22:14:56.946Z", "datePublished": "2025-11-04T04:27:17.736Z", "dateUpdated": "2026-04-08T17:00:15.254Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:15.254Z"}, "affected": [{"vendor": "centangle", "product": "Centangle-Team", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Centangle-Team plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, due to insufficient input sanitization and output escaping on cai_name_color parameter, this issue allows to inject arbitrary web scripts in pages, that will execute whenever a user accesses an injected page."}], "title": "Centangle Team Showcase <= 1.0.0 - Cross-Site Request Forgery To Plugin's Settings Modification And Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ff637c7-677f-4d70-b3cb-770d0a47e691?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/inc_/cai_setting.php#L88"}, {"url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/Centangle-Team-Showcase.php#L132"}, {"url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/inc_/cai_setting.php#L172"}, {"url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/inc_/cai_setting.php#L196"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "timeline": [{"time": "2025-10-16T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-03T15:51:54.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-04T16:43:13.664882Z", "id": "CVE-2025-12456", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T16:43:20.440Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12456", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-04T16:43:13.664882Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T16:43:16.817Z"}}], "cna": {"title": "Centangle Team Showcase <= 1.0.0 - Cross-Site Request Forgery To Plugin's Settings Modification And Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "centangle", "product": "Centangle-Team", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-16T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-03T15:51:54.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ff637c7-677f-4d70-b3cb-770d0a47e691?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/inc_/cai_setting.php#L88"}, {"url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/Centangle-Team-Showcase.php#L132"}, {"url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/inc_/cai_setting.php#L172"}, {"url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/inc_/cai_setting.php#L196"}], "descriptions": [{"lang": "en", "value": "The Centangle-Team plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, due to insufficient input sanitization and output escaping on cai_name_color parameter, this issue allows to inject arbitrary web scripts in pages, that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:15.254Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12456", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:00:15.254Z", "dateReserved": "2025-10-28T22:14:56.946Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-04T04:27:17.736Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Centangle-Team plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, due to insufficient input sanitization and output escaping on cai_name_color parameter, this issue allows to inject arbitrary web scripts in pages, that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12456", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-04T05:16:16.587", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/Centangle-Team-Showcase.php#L132"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/inc_/cai_setting.php#L172"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/inc_/cai_setting.php#L196"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/centangle-team/trunk/inc_/cai_setting.php#L88"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ff637c7-677f-4d70-b3cb-770d0a47e691?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T06:05:06.631346+00:00", "value": {"mitigation_remediation": ["Upgrade the Centangle\u2011Team plugin to a version that removes the CSRF and XSS flaws (if version 1.0.1 or later is available).", "If no patched release exists, uninstall the plugin entirely and delete any residual configuration files to eliminate the attack surface.", "Implement additional protection on the WordPress administrative interface, such as restricting admin access to known IP addresses, enabling two\u2011factor authentication, and ensuring all request\u2011verification nonces are validated server side."], "summary": {"action": "Apply Patch", "impact": "Unauthorized plugin configuration changes and stored cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "All WordPress installations containing the Centangle\u2011Team plugin through version 1.0.0 are affected. The CNA vendor is Centangle; the product is Centangle\u2011Team. No later releases are listed as vulnerable.", "description_and_impact": "The Centangle\u2011Team WordPress plugin suffers from missing nonce validation that allows unauthenticated attackers to forge requests. This weakness is a Cross\u2011Site Request Forgery (CWE\u2011352) vulnerability. By tricking an administrator into clicking a crafted link, the attacker can alter the plugin\u2019s settings without credentials. In addition, the plugin fails to sanitize and escape the cai_name_color parameter, enabling the injection of arbitrary JavaScript that is stored and executed every time a page that uses this setting is viewed. The combined effect is that an attacker can remote\u2011alter site configuration and persistently deliver malicious scripts to all visitors, potentially leading to defacement, credential theft, or session hijacking.", "risk_and_exploitability": "The CVSS score of 6.1 classifies this as moderate severity, while the EPSS score of less than 1% indicates a very low probability of exploitation under current threat intelligence. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to lure an administrator into submitting a forged request, which is feasible in social\u2011engineering scenarios. Once the attack succeeds, the stored XSS component delivers scripts to all site visitors, presenting a persistent client\u2011side impact without the need for privileged access."}}}}, "created": "2025-11-04T16:33:05.556036+00:00", "updated": "2026-04-22T06:15:10.425790+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}