{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12715", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-04T20:32:13.980Z", "datePublished": "2025-12-06T05:49:30.487Z", "dateUpdated": "2026-04-08T17:09:58.734Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:58.734Z"}, "affected": [{"vendor": "emaude", "product": "Canadian Nutrition Facts Label", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'percentage' field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Canadian Nutrition Facts Label <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nutrition Label Custom Post Type", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/950e5d04-1436-4886-8d36-fca38bd9414a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/canadian-nutrition-facts-label/tags/3.0/canadian-nutrition-facts-label.php#L557"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-12-05T17:47:10.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-08T21:16:38.657148Z", "id": "CVE-2025-12715", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:17:18.388Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12715", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-08T21:16:38.657148Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:16:54.205Z"}}], "cna": {"title": "Canadian Nutrition Facts Label <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nutrition Label Custom Post Type", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "emaude", "product": "Canadian Nutrition Facts Label", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-05T17:47:10.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/950e5d04-1436-4886-8d36-fca38bd9414a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/canadian-nutrition-facts-label/tags/3.0/canadian-nutrition-facts-label.php#L557"}], "descriptions": [{"lang": "en", "value": "The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'percentage' field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:58.734Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12715", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:09:58.734Z", "dateReserved": "2025-11-04T20:32:13.980Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-06T05:49:30.487Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'percentage' field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12715", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-06T06:15:50.397", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/canadian-nutrition-facts-label/tags/3.0/canadian-nutrition-facts-label.php#L557"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/950e5d04-1436-4886-8d36-fca38bd9414a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T03:51:59.098646+00:00", "value": {"mitigation_remediation": ["Upgrade the Canadian Nutrition Facts Label plugin to a version newer than 3.0 that implements proper input sanitization.", "Restrict the Contributor role\u2019s ability to edit Nutrition Labels by adjusting role capabilities or reassignment to a role without those permissions.", "Manually review and cleanse existing Nutrition Labels, removing or escaping any suspicious content in the percentage field."], "summary": {"action": "Upgrade Plugin", "impact": "Stored XSS for contributors and higher in the Canadian Nutrition Facts Label plugin"}, "threat_synthesis": {"affected_systems": "WordPress sites using the emaude Canadian Nutrition Facts Label plugin, version 3.0 and earlier.", "description_and_impact": "The plugin accepts the percentage value in a custom post type without sanitizing or escaping the input. This is a CWE-79 Stored Cross\u2011Site Scripting flaw. An authenticated user with Contributor level access can insert arbitrary JavaScript, which will be rendered and executed in the browser of any visitor who views that label. The flaw does not allow server\u2011side control or data exfiltration beyond what can be achieved from client\u2011side code.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate risk. An EPSS score of less than 1\u202f% suggests a very low exploitation probability in the near term, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to have Contributor\u2011level or greater access to the site; no additional privileges are needed. Once a contributor injects a malicious payload, every user who visits the compromised label will receive the injected script."}}}}, "created": "2025-12-08T09:39:32.957507+00:00", "updated": "2026-04-22T04:00:07.991421+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}