{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12484", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-29T19:11:25.942Z", "datePublished": "2025-11-19T07:46:07.439Z", "dateUpdated": "2026-04-08T17:02:46.970Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:46.970Z"}, "affected": [{"vendor": "smub", "product": "Giveaways and Contests by RafflePress \u2013 Get More Website Traffic, Email Subscribers, and Social Followers", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.12.19", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Giveaways and Contests by RafflePress \u2013 Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1.12.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Giveaways and Contests by RafflePress \u2013 Get More Website Traffic, Email Subscribers, and Social Followers <= 1.12.19 - Unauthenticated Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cda6aad-36e1-45c7-af46-a7b90bb2d339?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L539"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L543"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L547"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L551"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L555"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L559"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L563"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/entry.php#L110"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3398188%40rafflepress&old=3346436%40rafflepress&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Naoya Takahashi"}], "timeline": [{"time": "2025-10-29T19:28:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-18T19:41:33.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-19T18:10:15.857557Z", "id": "CVE-2025-12484", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T18:15:43.641Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12484", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-19T18:10:15.857557Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T18:14:58.679Z"}}], "cna": {"title": "Giveaways and Contests by RafflePress \u2013 Get More Website Traffic, Email Subscribers, and Social Followers <= 1.12.19 - Unauthenticated Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Naoya Takahashi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "smub", "product": "Giveaways and Contests by RafflePress \u2013 Get More Website Traffic, Email Subscribers, and Social Followers", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.12.19"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-29T19:28:09.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-18T19:41:33.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cda6aad-36e1-45c7-af46-a7b90bb2d339?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L539"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L543"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L547"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L551"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L555"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L559"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L563"}, {"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/entry.php#L110"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3398188%40rafflepress&old=3346436%40rafflepress&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Giveaways and Contests by RafflePress \u2013 Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1.12.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:46.970Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12484", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:02:46.970Z", "dateReserved": "2025-10-29T19:11:25.942Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-19T07:46:07.439Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Giveaways and Contests by RafflePress \u2013 Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1.12.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12484", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-19T08:15:51.367", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/entry.php#L110"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L539"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L543"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L547"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L551"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L555"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L559"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L563"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3398188%40rafflepress&old=3346436%40rafflepress&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cda6aad-36e1-45c7-af46-a7b90bb2d339?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:08:57.158852+00:00", "value": {"mitigation_remediation": ["Update the RafflePress plugin to the latest version that removes the vulnerable input handling.", "If an update cannot be applied immediately, disable or remove the affected social media username fields from the plugin configuration.", "Implement a Web Application Firewall or add a Content Security Policy that blocks inline scripts to reduce the impact of any residual XSS payloads."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress plugin Giveaways and Contests by RafflePress \u2013 Get More Website Traffic, Email Subscribers, and Social Followers. All releases up to and including version\u202f1.12.19 are vulnerable. No additional product versions have been listed as affected. Deployments must therefore verify the installed version and plan a remediation update.", "description_and_impact": "The vulnerability occurs because the plugin fails to sanitize or escape several social media username input fields, enabling an attacker to store malicious JavaScript. When a page renders these fields the untrusted code runs in the context of any site visitor. Attackers could steal session cookies, deface content, or direct users to phishing sites. The weakness is documented as CWE\u201179.", "risk_and_exploitability": "The CVSS base score is 7.2, indicating a high impact and moderately complex exploitation. The EPSS score of less than 1\u202f% shows that active exploitation is uncommon, and the defect is not in the CISA KEV catalog. Because the flaw is an unauthenticated stored XSS, an attacker only requires the ability to submit data through the exposed username fields; no other privilege or system access is necessary. If the site is publicly accessible, the risk can affect any visitor to the page that contains the injected content."}}}}, "created": "2025-11-20T10:30:46.127076+00:00", "updated": "2026-04-21T18:15:36.374158+00:00", "vendors": ["rafflepress", "rafflepress$PRODUCT$giveaways_and_contests", "rafflepress$PRODUCT$giveaways_and_contests_by_rafflepress", "wordpress", "wordpress$PRODUCT$wordpress"]}