{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12671", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T21:37:13.923Z", "datePublished": "2025-11-11T03:30:46.108Z", "dateUpdated": "2026-04-08T17:06:51.359Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:51.359Z"}, "affected": [{"vendor": "mrx3k1", "product": "WP-Iconics", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP-Iconics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wp_iconics' shortcode in all versions up to, and including, 0.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP-Iconics <= 0.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90ec6c64-f2c6-483e-9d8b-25e65ccb4a90?source=cve"}, {"url": "https://wordpress.org/plugins/wp-iconics/"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-iconics/tags/0.0.4/wp-iconics.php#L47"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "timeline": [{"time": "2025-11-10T15:25:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T15:13:26.780831Z", "id": "CVE-2025-12671", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:05:45.853Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12671", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T15:13:26.780831Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T15:13:30.391Z"}}], "cna": {"title": "WP-Iconics <= 0.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mrx3k1", "product": "WP-Iconics", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T15:25:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90ec6c64-f2c6-483e-9d8b-25e65ccb4a90?source=cve"}, {"url": "https://wordpress.org/plugins/wp-iconics/"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-iconics/tags/0.0.4/wp-iconics.php#L47"}], "descriptions": [{"lang": "en", "value": "The WP-Iconics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wp_iconics' shortcode in all versions up to, and including, 0.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:51.359Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12671", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:06:51.359Z", "dateReserved": "2025-11-03T21:37:13.923Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:46.108Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP-Iconics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wp_iconics' shortcode in all versions up to, and including, 0.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12671", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:49.593", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-iconics/tags/0.0.4/wp-iconics.php#L47"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wp-iconics/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90ec6c64-f2c6-483e-9d8b-25e65ccb4a90?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:27:59.640880+00:00", "value": {"mitigation_remediation": ["Update the WP\u2011Iconics plugin to the newest stable release to remove the vulnerability.", "If an immediate upgrade is not feasible, reduce the permissions of Contributor and higher roles so they cannot access the shortcode parameters that are vulnerable.", "Configure a Content Security Policy that restricts script execution from untrusted sources to mitigate the impact of any lingering stored scripts."], "summary": {"action": "Upgrade Plugin", "impact": "Stored Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected component is the WP\u2011Iconics plugin from vendor mrx3k1, versions 0.0.4 and earlier. No other vendors or products are listed.", "description_and_impact": "The WP\u2011Iconics plugin admits stored cross\u2011site scripting through several parameters of the 'wp_iconics' shortcode in all releases up to 0.0.4. This weakness stems from inadequate input sanitization and output escaping and is classified as CWE\u201179. An authenticated user with Contributor privilege or higher can inject arbitrary JavaScript that runs whenever a visitor views an affected page, potentially allowing phishing, credential theft, or defacement of the site.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4, indicating moderate severity, and an EPSS score of less than 1\u202f%, suggesting a low probability of exploitation in the near term. It is not listed in the CISA KEV catalog. The exploit requires a valid WordPress session with Contributor or higher access, so an attacker must first authenticate to the site before injecting malicious payloads."}}}}, "created": "2025-11-12T12:47:46.173021+00:00", "updated": "2026-04-21T18:30:27.587998+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}