{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12652", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T20:22:22.038Z", "datePublished": "2025-11-11T03:30:34.413Z", "dateUpdated": "2026-04-08T16:42:29.678Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:29.678Z"}, "affected": [{"vendor": "oscaruribe", "product": "Ungapped Widgets", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ungapped Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prefillvalues' parameter in the ungapped-form shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page."}], "title": "Ungapped Widgets <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25d0921b-39b1-4abb-9197-952fc55f80e6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ungapped-widgets/tags/1/ungapped-widgets-plugin.php#L38"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "timeline": [{"time": "2025-11-10T15:27:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T17:12:40.478908Z", "id": "CVE-2025-12652", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:08:47.796Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12652", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T17:12:40.478908Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T17:12:45.375Z"}}], "cna": {"title": "Ungapped Widgets <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "oscaruribe", "product": "Ungapped Widgets", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T15:27:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25d0921b-39b1-4abb-9197-952fc55f80e6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ungapped-widgets/tags/1/ungapped-widgets-plugin.php#L38"}], "descriptions": [{"lang": "en", "value": "The Ungapped Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prefillvalues' parameter in the ungapped-form shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-11T03:30:34.413Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12652", "state": "PUBLISHED", "dateUpdated": "2025-11-12T20:08:47.796Z", "dateReserved": "2025-11-03T20:22:22.038Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:34.413Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ungapped Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prefillvalues' parameter in the ungapped-form shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page."}], "id": "CVE-2025-12652", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:48.380", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ungapped-widgets/tags/1/ungapped-widgets-plugin.php#L38"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25d0921b-39b1-4abb-9197-952fc55f80e6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:23:31.219334+00:00", "value": {"mitigation_remediation": ["Update the Ungapped Widgets plugin to the latest release that resolves the stored XSS issue.", "If no updated version is available, permanently uninstall the plugin to eliminate the vulnerability.", "If the plugin must remain for operational reasons, restrict contributor accounts from creating or editing shortcodes that include the prefillvalues attribute\u2014apply role\u2011based restrictions or use a content moderation workflow to block such edits."], "summary": {"action": "Apply Update", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has the Ungapped Widgets plugin version 1 or earlier is vulnerable. An attacker must be logged in as a contributor or higher to insert a malicious shortcode; normal site visitors are not required to be authenticated. The risk is limited to pages that render the ungapped\u2011form shortcode; the core WordPress installation itself is not affected.", "description_and_impact": "The Ungapped Widgets plugin for WordPress can store arbitrary JavaScript when an authenticated user with contributor or higher privileges supplies a malicious value in the prefillvalues attribute of the ungapped\u2011form shortcode. Because the input is neither sanitized nor escaped, the injected script is persisted in the database and executed in the browsers of anyone who views a page containing the shortcode. The flaw is a classic client\u2011side code injection, classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 categorizes the vulnerability as medium severity. The EPSS score of less than 1% indicates a low probability of widespread exploitation at present, and the issue is not listed in the CISA KEV catalog. Successful exploitation requires the attacker to have editing rights and to supply the malicious shortcode. Once a victim views the affected page, the script runs under their browser context. Based on the description, it is inferred that the attacker could potentially steal credentials, deface content, or carry out additional malicious actions."}}}}, "created": "2025-11-12T12:48:02.456386+00:00", "updated": "2026-04-28T10:30:29.017240+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}