{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12631", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T14:39:15.330Z", "datePublished": "2025-11-11T03:30:47.001Z", "dateUpdated": "2026-04-08T17:12:02.542Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:02.542Z"}, "affected": [{"vendor": "spokanetony", "product": "Squirrels Auto Inventory", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Squirrels Auto Inventory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Squirrels Auto Inventory <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f93ee42-c21d-47cf-b140-65809da75653?source=cve"}, {"url": "https://wordpress.org/plugins/squirrels-auto-inventory/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "timeline": [{"time": "2025-11-10T15:00:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T15:12:17.628315Z", "id": "CVE-2025-12631", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:05:34.060Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12631", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T15:12:17.628315Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T15:12:19.739Z"}}], "cna": {"title": "Squirrels Auto Inventory <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "spokanetony", "product": "Squirrels Auto Inventory", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T15:00:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f93ee42-c21d-47cf-b140-65809da75653?source=cve"}, {"url": "https://wordpress.org/plugins/squirrels-auto-inventory/"}], "descriptions": [{"lang": "en", "value": "The Squirrels Auto Inventory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:02.542Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12631", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:12:02.542Z", "dateReserved": "2025-11-03T14:39:15.330Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:47.001Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Squirrels Auto Inventory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-12631", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:47.557", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/squirrels-auto-inventory/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f93ee42-c21d-47cf-b140-65809da75653?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:27:28.763798+00:00", "value": {"mitigation_remediation": ["Update the Squirrels Auto Inventory plugin to a version newer than 1.0.3.", "If an update is not immediately possible, restrict administrator access or temporarily disable the plugin until a patched version is available.", "Configure a web application firewall or use a security plugin to block known XSS payloads on the affected pages."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of the Squirrels Auto Inventory plugin, version 1.0.3 and earlier, on multi\u2011site WordPress environments where the unfiltered_html feature is disabled. All users who have the ability to access the plugin\u2019s admin settings can exploit the flaw, and the impact is realized on other site visitors who view pages containing the injected content.", "description_and_impact": "The Squirrels Auto Inventory plugin for WordPress contains a stored XSS flaw in administration settings across all versions up to 1.0.3. When an authenticated user with administrator privileges or higher alters these settings, unsanitized input can be stored and later rendered within pages. The stored script executes in the browsers of any user who views an affected page, allowing the attacker to steal cookies, hijack sessions, or inject malicious content without the user\u2019s knowledge.", "risk_and_exploitability": "The CVSS score of 4.4 indicates moderate severity, and the EPSS score of less than 1% shows a low probability of exploitation as of the latest data. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires administrator credentials, so the the attack surface is limited to privileged users. Once the stored payload is present, however, it can affect any visitor to the injected page."}}}}, "created": "2025-11-12T12:47:39.448697+00:00", "updated": "2026-04-21T18:30:27.586970+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}