{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12677", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T22:04:56.746Z", "datePublished": "2025-11-05T07:27:55.399Z", "dateUpdated": "2026-04-08T16:36:11.598Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:11.598Z"}, "affected": [{"vendor": "mykiot", "product": "KiotViet Sync", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the register_api_route() function in kiotvietsync/includes/public_actions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhook token value when configured."}], "title": "KiotViet Sync <= 1.8.5 - Unauthenticated Webhook Key Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1114a84e-3425-402f-bcdc-a2ee05b2dbc9?source=cve"}, {"url": "https://wordpress.org/plugins/kiotvietsync/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-11-04T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-05T14:21:33.460256Z", "id": "CVE-2025-12677", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T14:21:40.476Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12677", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-05T14:21:33.460256Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T14:21:37.236Z"}}], "cna": {"title": "KiotViet Sync <= 1.8.5 - Unauthenticated Webhook Key Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "mykiot", "product": "KiotViet Sync", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.8.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-04T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1114a84e-3425-402f-bcdc-a2ee05b2dbc9?source=cve"}, {"url": "https://wordpress.org/plugins/kiotvietsync/"}], "descriptions": [{"lang": "en", "value": "The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the register_api_route() function in kiotvietsync/includes/public_actions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhook token value when configured."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-05T07:27:55.399Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12677", "state": "PUBLISHED", "dateUpdated": "2025-11-05T14:21:40.476Z", "dateReserved": "2025-11-03T22:04:56.746Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-05T07:27:55.399Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the register_api_route() function in kiotvietsync/includes/public_actions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhook token value when configured."}], "id": "CVE-2025-12677", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-05T08:15:33.843", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/kiotvietsync/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1114a84e-3425-402f-bcdc-a2ee05b2dbc9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:24:08.848008+00:00", "value": {"mitigation_remediation": ["Update the KiotViet Sync plugin to the latest version available in the WordPress plugin repository.", "If an update cannot be performed immediately, remove or disable the plugin\u2019s webhook functionality to prevent token exposure.", "Monitor the plugin\u2019s public updates and vulnerability advisories for patch releases."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "Vulnerable versions of the KiotViet Sync WordPress plugin (up to and including 1.8.5). The flaw exists in all builds from the earliest release to 1.8.5, regardless of other configuration. The affected product is identified as mykiot:KiotViet Sync.", "description_and_impact": "The KiotViet Sync plugin for WordPress contains a flaw that allows an unauthenticated attacker to learn the webhook token. The vulnerability stems from the register_api_route() function in WebHookAction.php, which exposes the token value when it is configured. Because the webhook token grants privileged access to the service, disclosure enables an attacker to perform token\u2011based operations or abuse the integration.", "risk_and_exploitability": "The CVSS base score is 5.3, classifying the issue as Medium severity. The EPSS score is less than 1%, indicating a low probability of exploitation at this time. The weakness is not listed in CISA KEV. Based on the description, it is inferred that the flaw can be triggered by any web request to the plugin, although the exact request path is not explicitly specified. The vulnerability does not require authentication or elevated privileges. An attacker who discovers the token can then use it to interact with the webhook API and potentially compromise the target site or the backend service."}}}}, "created": "2025-11-06T10:07:20.592673+00:00", "updated": "2026-04-28T10:30:29.018841+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}