{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12650", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T20:11:43.985Z", "datePublished": "2025-12-12T03:20:59.672Z", "dateUpdated": "2026-04-08T17:28:34.631Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:34.631Z"}, "affected": [{"vendor": "sgcoskey", "product": "Simple post listing", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in the postlist shortcode in all versions up to, and including, 0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction."}], "title": "Simple post listing <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dfdebeab-89f6-49b8-a38f-de2a8df7a7e8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-post-listing/tags/0.2/simple-post-listing.php#L77"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-12-11T14:30:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-18T20:36:29.386159Z", "id": "CVE-2025-12650", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T20:36:36.796Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12650", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-18T20:36:29.386159Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T20:36:33.870Z"}}], "cna": {"title": "Simple post listing <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "sgcoskey", "product": "Simple post listing", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:30:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dfdebeab-89f6-49b8-a38f-de2a8df7a7e8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-post-listing/tags/0.2/simple-post-listing.php#L77"}], "descriptions": [{"lang": "en", "value": "The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in the postlist shortcode in all versions up to, and including, 0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:34.631Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12650", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:28:34.631Z", "dateReserved": "2025-11-03T20:11:43.985Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:59.672Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in the postlist shortcode in all versions up to, and including, 0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction."}], "id": "CVE-2025-12650", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:38.773", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-post-listing/tags/0.2/simple-post-listing.php#L77"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dfdebeab-89f6-49b8-a38f-de2a8df7a7e8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:52:08.271065+00:00", "value": {"mitigation_remediation": ["Upgrade the Simple post listing plugin to the latest available version that removes the stored XSS flaw (any release after 0.2).", "If an upgrade is not possible, delete or disable the plugin to eliminate the attack surface.", "As a temporary measure, restrict the contributor role to trusted users only and monitor content for unexpected JavaScript."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (XSS) via a plugin attribute"}, "threat_synthesis": {"affected_systems": "WordPress sites using the \"Simple post listing\" plugin (sgcoskey) with any version 0.2 or earlier are affected. The vulnerability is exploitable only when the attacker has at least contributor permissions and does not demand remote code execution or system compromise.", "description_and_impact": "The Simple post listing plugin, in versions up to and including 0.2, fails to properly sanitize the \"class_name\" attribute in the short\u2011code it exposes. When a contributor or higher level user supplies malicious content through this parameter, the value is stored and later rendered without escaping. Consequently, attackers can place arbitrary JavaScript that executes in the browsers of any user who views a page containing the affected shortcode. This weakness (CWE\u201179) allows an authenticated attacker with contributor privileges to hijack sessions, deface pages, or harvest credentials by exploiting unsuspecting visitors.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity. The EPSS score of less than 1% suggests currently low exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog, further indicating limited or no reported exploitation. An attacker would need to authenticate and use the contributor role to insert malicious code via the shortcode; the threat is limited to cross\u2011site scripting rather than server\u2011side compromise."}}}}, "created": "2025-12-12T08:47:57.504318+00:00", "updated": "2026-04-21T01:00:12.957256+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}