{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12709", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-04T19:33:52.974Z", "datePublished": "2026-01-28T06:43:44.129Z", "dateUpdated": "2026-04-08T17:14:40.283Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:40.283Z"}, "affected": [{"vendor": "bfintal", "product": "Interactions \u2013 Create Interactive Experiences in the Block Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Interactions \u2013 Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Interactions \u2013 Create Interactive Experiences in the Block Editor <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab97f125-3a4a-4293-b218-07586c1c021c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448073%40interactions&new=3448073%40interactions"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}], "timeline": [{"time": "2026-01-27T17:57:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T14:54:16.244101Z", "id": "CVE-2025-12709", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:55:05.974Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12709", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T14:54:16.244101Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:54:46.973Z"}}], "cna": {"title": "Interactions \u2013 Create Interactive Experiences in the Block Editor <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bfintal", "product": "Interactions \u2013 Create Interactive Experiences in the Block Editor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.3.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-27T17:57:39.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab97f125-3a4a-4293-b218-07586c1c021c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448073%40interactions&new=3448073%40interactions"}], "descriptions": [{"lang": "en", "value": "The Interactions \u2013 Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-28T06:43:44.129Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12709", "state": "PUBLISHED", "dateUpdated": "2026-01-28T14:55:05.974Z", "dateReserved": "2025-11-04T19:33:52.974Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-28T06:43:44.129Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Interactions \u2013 Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Interactions \u2013 Create Interactive Experiences in the Block Editor para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de selectores de eventos en todas las versiones hasta la 1.3.1, inclusive, debido a una sanitizaci\u00f3n de entrada y escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de nivel Colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-12709", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-28T07:15:57.170", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448073%40interactions&new=3448073%40interactions"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab97f125-3a4a-4293-b218-07586c1c021c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:18:32.393332+00:00", "value": {"mitigation_remediation": ["Upgrade the Interactions plugin to the latest released version, which removes the XSS flaw.", "If an upgrade is not immediately possible, disable or uninstall the plugin to eliminate the vulnerable code.", "Limit Contributor and other non\u2011admin users from creating or editing event selectors that can accept JavaScript, or enforce strict input validation on those fields."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting that allows arbitrary script execution on all users who view the injected page."}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the WordPress plugin Interactions \u2013 Create Interactive Experiences in the Block Editor from the vendor bfintal. All releases up to and including version 1.3.1 are affected. Site administrators should check the plugin version and upgrade if necessary.", "description_and_impact": "The Interactions \u2013 Create Interactive Experiences in the Block Editor plugin is vulnerable to stored XSS. Insufficient sanitization of event selector inputs and missing output escaping enable an authenticated contributor or higher to embed arbitrary JavaScript that will run automatically whenever a page containing the edited event selector is loaded by any visitor. This can lead to session hijacking, credential theft, or arbitrary code execution in the context of the site\u2019s user accounts.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score is below 1\u202f%, suggesting low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The exploit requires an attacker to have Contributor\u2011level or higher access to the WordPress installation, a condition that is likely satisfied in many collaborative sites. Once an event selector is injected, the malicious script runs for every visitor without further action, making this a persistent threat to all users who view the compromised page."}}}}, "created": "2026-01-29T09:18:05.586328+00:00", "updated": "2026-04-21T00:30:22.964844+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}