{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12670", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T21:33:53.732Z", "datePublished": "2025-11-27T02:26:14.607Z", "dateUpdated": "2026-04-08T17:18:26.223Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:26.223Z"}, "affected": [{"vendor": "realin", "product": "wp-twitpic", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The wp-twitpic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'twitpic' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "wp-twitpic <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb36fd27-bcea-481c-a7aa-815dc684ed8b?source=cve"}, {"url": "https://wordpress.org/plugins/wp-twitpic/"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-twitpic/tags/1.0/wp-twitpic.php#L42"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "timeline": [{"time": "2025-11-26T14:19:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-28T14:39:36.628407Z", "id": "CVE-2025-12670", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T19:33:41.667Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12670", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-28T14:39:36.628407Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T14:39:37.357Z"}}], "cna": {"title": "wp-twitpic <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "realin", "product": "wp-twitpic", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-26T14:19:16.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb36fd27-bcea-481c-a7aa-815dc684ed8b?source=cve"}, {"url": "https://wordpress.org/plugins/wp-twitpic/"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-twitpic/tags/1.0/wp-twitpic.php#L42"}], "descriptions": [{"lang": "en", "value": "The wp-twitpic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'twitpic' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-27T02:26:14.607Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12670", "state": "PUBLISHED", "dateUpdated": "2025-11-28T19:33:41.667Z", "dateReserved": "2025-11-03T21:33:53.732Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-27T02:26:14.607Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The wp-twitpic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'twitpic' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12670", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-27T03:15:57.933", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-twitpic/tags/1.0/wp-twitpic.php#L42"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wp-twitpic/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb36fd27-bcea-481c-a7aa-815dc684ed8b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:56:38.364108+00:00", "value": {"mitigation_remediation": ["Uninstall or disable the wp\u2011twitpic plugin to eliminate the attack surface.", "If the functionality is required, upgrade to a version that implements proper input sanitization and output escaping (currently none exist beyond 1.0, so consider replacing the plugin with a vetted alternative).", "Restrict Contributor or higher roles so that only trusted administrators can edit content containing the twitpic shortcode, or remove the capability to edit content that uses the plugin.", "As a temporary workaround, add a custom filter in your theme\u2019s functions.php to escape or strip disallowed characters from the shortcode parameters before rendering."], "summary": {"action": "Apply Patch", "impact": "Stored cross\u2011site scripting enabled for users with Contributor or higher access on WordPress sites running wp\u2011twitpic 1.0 or earlier"}, "threat_synthesis": {"affected_systems": "This flaw affects the Realin wp\u2011twitpic WordPress plugin, all released versions up to and including 1.0, when installed on any WordPress site that assigns contributor or higher roles. Sites employing this plugin and running the vulnerable version are at risk.", "description_and_impact": "The wp\u2011twitpic plugin contains a stored cross\u2011site scripting vulnerability (CWE\u201179) that allows an authenticated user with Contributor\u2011level or higher privileges to inject arbitrary scripts via multiple parameters of the \u2018twitpic\u2019 shortcode. When a user opens a page containing the maliciously crafted shortcode, the injected script executes in that user\u2019s browser, potentially leading to session hijacking, defacement, or further attacks within the authenticated user\u2019s session.", "risk_and_exploitability": "With a CVSS score of 6.4, the vulnerability is of medium severity. The EPSS score of less than 1\u202f% suggests low likelihood of exploitation, and the flaw is not currently listed in the CISA KEV catalog. However, exploitation requires only a legitimate contributor\u2011level account, so compromised credentials or social engineering can provide the necessary access. The attacker need only supply malicious shortcode parameters, so the attack vector is straightforward once authenticated, and the impact is confined to page rendering for any user who views the injected content."}}}}, "created": "2025-11-27T16:26:21.118179+00:00", "updated": "2026-04-21T18:00:11.741673+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}