{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12651", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T20:14:24.278Z", "datePublished": "2025-11-11T03:30:53.197Z", "dateUpdated": "2026-04-08T17:34:33.390Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:33.390Z"}, "affected": [{"vendor": "eggemplo", "product": "Live Photos on WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Live Photos on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_src', 'img_src', and 'class' parameters in the livephotos_photo shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page."}], "title": "Live Photos on WordPress <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fba3090f-2cc2-4e40-8080-ae83ba321a67?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/live-photos/tags/0.1/core/class-livephotos-shortcodes.php#L42"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "timeline": [{"time": "2025-11-10T14:51:51.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-14T15:20:51.179440Z", "id": "CVE-2025-12651", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T15:29:54.335Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12651", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-14T15:20:51.179440Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T15:20:56.919Z"}}], "cna": {"title": "Live Photos on WordPress <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "eggemplo", "product": "Live Photos on WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T14:51:51.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fba3090f-2cc2-4e40-8080-ae83ba321a67?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/live-photos/tags/0.1/core/class-livephotos-shortcodes.php#L42"}], "descriptions": [{"lang": "en", "value": "The Live Photos on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_src', 'img_src', and 'class' parameters in the livephotos_photo shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:33.390Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12651", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:33.390Z", "dateReserved": "2025-11-03T20:14:24.278Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:53.197Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Live Photos on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_src', 'img_src', and 'class' parameters in the livephotos_photo shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page."}], "id": "CVE-2025-12651", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:48.217", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/live-photos/tags/0.1/core/class-livephotos-shortcodes.php#L42"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fba3090f-2cc2-4e40-8080-ae83ba321a67?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:25:39.584118+00:00", "value": {"mitigation_remediation": ["Deploy a newer version of the Live Photos on WordPress plugin that includes the XSS fix.", "If the newer version is not available, completely uninstall or disable the plugin to prevent exploitation.", "Ensure that only trusted site administrators with high privileges deploy the shortcode; consider tightening role capabilities or removing the shortcode from content editable by contributors."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via Shortcode"}, "threat_synthesis": {"affected_systems": "The affected product is the Live Photos on WordPress plugin developed by eggemplo. All released versions up to and including 0.1 are vulnerable. Users who have deployed any of those versions are at risk until they upgrade or remove the plugin.", "description_and_impact": "The Live Photos on WordPress plugin stores user\u2011supplied values for the 'video_src', 'img_src', and 'class' attributes of the livephotos_photo shortcode without proper sanitization or escaping. This flaw allows a contributor\u2011level attacker to inject arbitrary JavaScript that will run when a page containing the stored data is loaded by a user. The injected script executes within the context of the site, giving the attacker the ability to perform client\u2011side attacks such as defacing content, redirecting users, or collecting information from the victim\u2019s browser.", "risk_and_exploitability": "The CVSS score for this vulnerability is 6.4, indicating a moderate level of severity. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low, and it is not listed in the CISA KEV catalog. The attack requires authenticated access with at least contributor privileges and the ability to edit content that contains the shortcode. An attacker who succeeds can inject malicious scripts that will execute for any user who views the affected page, potentially leading to a range of client\u2011side attacks."}}}}, "created": "2025-11-12T12:42:59.050334+00:00", "updated": "2026-04-21T18:30:27.585435+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}