{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12645", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T19:46:06.811Z", "datePublished": "2025-11-25T07:28:25.635Z", "dateUpdated": "2026-04-08T17:24:32.050Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:32.050Z"}, "affected": [{"vendor": "karthiksg", "product": "Inline frame \u2013 Iframe", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Inline frame \u2013 Iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedsite' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Inline frame \u2013 Iframe <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ceda1e49-4e65-4038-9207-ef4647838f53?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/inline-frame-iframe/tags/0.1/iframe.php#L76"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-11-24T19:09:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-25T15:00:48.538479Z", "id": "CVE-2025-12645", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T15:01:01.488Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12645", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-25T15:00:48.538479Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T15:00:54.377Z"}}], "cna": {"title": "Inline frame \u2013 Iframe <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "karthiksg", "product": "Inline frame \u2013 Iframe", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-24T19:09:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ceda1e49-4e65-4038-9207-ef4647838f53?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/inline-frame-iframe/tags/0.1/iframe.php#L76"}], "descriptions": [{"lang": "en", "value": "The Inline frame \u2013 Iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedsite' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:32.050Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12645", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:24:32.050Z", "dateReserved": "2025-11-03T19:46:06.811Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-25T07:28:25.635Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Inline frame \u2013 Iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedsite' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12645", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-25T08:15:49.283", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inline-frame-iframe/tags/0.1/iframe.php#L76"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ceda1e49-4e65-4038-9207-ef4647838f53?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:24:26.935209+00:00", "value": {"mitigation_remediation": ["Update the Inline frame \u2013 Iframe plugin to a version newer than 0.1, or remove the plugin if no update is available.", "Disable or delete any use of the embedsite shortcode on posts and pages to eliminate the XSS vector.", "Limit contributor\u2011level access or restrict roles that can edit content to trusted users only."], "summary": {"action": "Patch Plugin", "impact": "Stored cross\u2011site scripting allowing attacker\u2011controlled scripts to run in the browsers of users who view infected content"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Inline frame \u2013 Iframe plugin installed with a version of 0.1 or earlier are affected. All releases up to and including version 0.1 contain the vulnerable shortcode.", "description_and_impact": "The Inline frame \u2013 Iframe plugin for WordPress is vulnerable to a stored cross\u2011site scripting flaw in the embedsite shortcode. Insufficient input sanitization and output escaping allow an authenticated attacker with contributor or higher privileges to insert arbitrary JavaScript that is persisted and executed whenever a user visits a page containing the shortcode.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1\u202f% suggests a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must have contributor\u2011level or higher access to the WordPress dashboard; the flaw is only exploitable when the embedsite shortcode is used on a page."}}}}, "created": "2025-11-26T11:11:08.960677+00:00", "updated": "2026-04-22T00:30:04.051122+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}