{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12904", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-07T21:47:16.787Z", "datePublished": "2025-11-14T02:24:19.144Z", "dateUpdated": "2026-04-08T17:06:46.096Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:46.096Z"}, "affected": [{"vendor": "otacke", "product": "SNORDIAN's H5PxAPIkatchu", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.4.17", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SNORDIAN's H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'insert_data' AJAX endpoint in all versions up to, and including, 0.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "SNORDIAN's H5PxAPIkatchu <= 0.4.17 - Unauthenticated Stored Cross-Site Scripting via insert_data", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90552d5a-6103-48c7-ad44-52ee8ecac114?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3392176/h5pxapikatchu"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Moose Love"}], "timeline": [{"time": "2025-11-08T12:28:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-13T13:59:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-14T15:23:27.745571Z", "id": "CVE-2025-12904", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T15:23:37.371Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12904", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-14T15:23:27.745571Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T15:23:33.512Z"}}], "cna": {"title": "SNORDIAN's H5PxAPIkatchu <= 0.4.17 - Unauthenticated Stored Cross-Site Scripting via insert_data", "credits": [{"lang": "en", "type": "finder", "value": "Moose Love"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "otacke", "product": "SNORDIAN's H5PxAPIkatchu", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.4.17"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-08T12:28:18.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-13T13:59:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90552d5a-6103-48c7-ad44-52ee8ecac114?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3392176/h5pxapikatchu"}], "descriptions": [{"lang": "en", "value": "The SNORDIAN's H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'insert_data' AJAX endpoint in all versions up to, and including, 0.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:46.096Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12904", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:06:46.096Z", "dateReserved": "2025-11-07T21:47:16.787Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-14T02:24:19.144Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SNORDIAN's H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'insert_data' AJAX endpoint in all versions up to, and including, 0.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12904", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-14T03:15:56.230", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3392176/h5pxapikatchu"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90552d5a-6103-48c7-ad44-52ee8ecac114?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:21:13.218048+00:00", "value": {"mitigation_remediation": ["Upgrade SNORDIAN H5PxAPIkatchu to version 0.4.18 or later.", "If an upgrade is not possible, disable the insert_data AJAX endpoint or remove the plugin from the WordPress installation.", "Apply input validation and output escaping on the insert_data route if you maintain custom code.", "Consider deploying a web application firewall or content\u2011security\u2011policy header to mitigate XSS attacks on affected pages."], "summary": {"action": "Patch\u00a0Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the SNORDIAN H5PxAPIkatchu plugin, versions up to and including 0.4.17.", "description_and_impact": "The SNORDIAN H5PxAPIkatchu WordPress plugin contains an insufficiently sanitized and escaped input in the AJAX endpoint named insert_data, which delivers the injected content in stored form. An attacker who is not authenticated can place arbitrary JavaScript in a page; when any user loads that page the script runs in the victim\u2019s browser, potentially enabling credential theft, session hijacking, or defacement. This weakness is classified as CWE\u201179.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.2. The EPSS score is less than 1\u202f% and the weakness is not included in the CISA KEV catalog, indicating low current exploitation likelihood. However, the flaw is exploitable through a public\u2011facing AJAX endpoint, meaning an unauthenticated attacker can reach the code path and inject payloads without further compromise."}}}}, "created": "2025-11-14T09:27:36.073491+00:00", "updated": "2026-04-21T18:30:27.581700+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}