{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12538", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-30T20:46:46.152Z", "datePublished": "2025-11-11T03:30:36.625Z", "dateUpdated": "2026-04-08T16:47:54.945Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:54.945Z"}, "affected": [{"vendor": "iworks", "product": "Fleet Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Fleet Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Fleet Manager <= 2.5.1 - Authenticated (Editor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e72644c-138d-4733-bcca-a8305273d1a0?source=cve"}, {"url": "https://it.wordpress.org/plugins/fleet/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3415747%40fleet&new=3415747%40fleet&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}, {"lang": "en", "type": "finder", "value": "Marco Aniello Guida"}], "timeline": [{"time": "2025-11-10T14:58:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T16:34:39.255528Z", "id": "CVE-2025-12538", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:08:11.549Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12538", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T16:34:39.255528Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T16:34:41.158Z"}}], "cna": {"title": "Fleet Manager <= 2.5.1 - Authenticated (Editor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}, {"lang": "en", "type": "finder", "value": "Marco Aniello Guida"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "iworks", "product": "Fleet Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.5.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T14:58:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e72644c-138d-4733-bcca-a8305273d1a0?source=cve"}, {"url": "https://it.wordpress.org/plugins/fleet/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3415747%40fleet&new=3415747%40fleet&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Fleet Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:54.945Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12538", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:47:54.945Z", "dateReserved": "2025-10-30T20:46:46.152Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:36.625Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Fleet Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-12538", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:46.887", "references": [{"source": "security@wordfence.com", "url": "https://it.wordpress.org/plugins/fleet/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3415747%40fleet&new=3415747%40fleet&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e72644c-138d-4733-bcca-a8305273d1a0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:32:27.730420+00:00", "value": {"mitigation_remediation": ["Upgrade the Fleet Manager plugin to version 2.5.2 or later if available", "Remove or sanitize any injected script content stored in the plugin\u2019s settings", "If an upgrade is delayed, restrict editor roles from accessing the affected admin pages or convert the site to a single\u2011site configuration to mitigate the exposure"], "summary": {"action": "Upgrade", "impact": "Stored cross\u2011site scripting with editor\u2011level access"}, "threat_synthesis": {"affected_systems": "WordPress installations using the iWorks Fleet Manager plugin, versions 2.5.1 and earlier, on multi\u2011site networks where the unfiltered_html capability is disabled. Sites with single\u2011site setups are not impacted.", "description_and_impact": "The vulnerability allows injection of arbitrary scripts into the Fleet Manager configuration pages. When an authenticated user with editor or higher privileges modifies the settings, the input is stored without proper sanitization or escaping, and will be rendered on subsequent page loads. This results in client\u2011side code executing in the context of any user who views the affected page, potentially exposing session data, cookies, or enabling defacement.", "risk_and_exploitability": "The CVSS score of 4.4 indicates moderate severity. An attacker must first authenticate with editor or higher permissions, which limits the potential exploit pool. The EPSS score of less than 1% reflects a low likelihood of exploitation, and the flaw is not listed in the CISA KEV catalog. The attack vector can be inferred as an authenticated administrative intrusion; the resulting XSS would be browser\u2011side and cannot execute server\u2011side commands."}}}}, "created": "2025-11-12T12:47:35.737499+00:00", "updated": "2026-04-21T18:45:06.071960+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}