{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12475", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-29T16:13:20.241Z", "datePublished": "2025-10-30T04:26:01.452Z", "dateUpdated": "2026-04-08T17:27:57.538Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:57.538Z"}, "affected": [{"vendor": "creativethemeshq", "product": "Blocksy Companion", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Blocksy Companion <= 2.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd13eb67-3bd5-41c4-a47f-5f55656ea5b9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3371878/blocksy-companion/trunk/framework/extensions/newsletter-subscribe/helpers.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2025-10-06T19:56:16.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-06T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-30T13:53:58.297283Z", "id": "CVE-2025-12475", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-30T13:54:22.488Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12475", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-30T13:53:58.297283Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-30T13:54:03.092Z"}}], "cna": {"title": "Blocksy Companion <= 2.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "creativethemeshq", "product": "Blocksy Companion", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.14"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-06T19:56:16.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-06T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd13eb67-3bd5-41c4-a47f-5f55656ea5b9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3371878/blocksy-companion/trunk/framework/extensions/newsletter-subscribe/helpers.php"}], "descriptions": [{"lang": "en", "value": "The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:57.538Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12475", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:27:57.538Z", "dateReserved": "2025-10-29T16:13:20.241Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-30T04:26:01.452Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12475", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-30T05:15:37.967", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3371878/blocksy-companion/trunk/framework/extensions/newsletter-subscribe/helpers.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd13eb67-3bd5-41c4-a47f-5f55656ea5b9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:44:18.159294+00:00", "value": {"mitigation_remediation": ["Upgrade Blocksy Companion to the latest available version, which contains the necessary input sanitization and output escaping fixes.", "If an upgrade cannot be performed immediately, remove or disable the blocksy_newsletter_subscribe shortcode from your site or lock down contributor roles to prevent injection of malicious attributes.", "Verify that no legacy newsletter\u2011subscribe blocks remain in the page content and that the plugin no longer renders user\u2011provided attributes unsanitized."], "summary": {"action": "Patch Update", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The problem affects every instance of the creativethemeshq Blocksy Companion plugin installed on a WordPress site, in all releases up to and including version 2.1.14. Users who have contributed or higher roles on the site and who can embed the plugin\u2019s shortcode may be the source of the injection.", "description_and_impact": "The Blocksy Companion plugin for WordPress is vulnerable to stored cross\u2011site scripting through its blocksy_newsletter_subscribe shortcode, allowing an attacker with contributor\u2011level or higher access to inject arbitrary JavaScript into attributes that are rendered on pages. This flaw causes the injected scripts to run in the context of site visitors whenever the injected content is viewed, due to insufficient input sanitization and output escaping of user\u2011supplied parameters.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exfiltration or persistence is not described in the CVE entry; the flaw requires authenticated contributor or higher access, and any visitor to the page where the malicious shortcode is embedded will execute the injected script."}}}}, "created": "2025-10-30T14:37:26.751148+00:00", "updated": "2026-04-21T18:45:06.086281+00:00", "vendors": ["creativethemes", "creativethemes$PRODUCT$blocksy_companion", "wordpress", "wordpress$PRODUCT$wordpress"]}