CVE-2025-12034
BaseFortify
Publication date: 2025-10-25
Last updated on: 2025-10-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| peixotorms | fast_velocity_minify | 3.5.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Fast Velocity Minify WordPress plugin (up to version 3.5.1) is a Stored Cross-Site Scripting (XSS) issue that occurs via admin settings. It happens because the plugin does not properly sanitize input or escape output, allowing authenticated users with administrator-level permissions to inject malicious scripts into pages. These scripts execute whenever a user accesses the infected page. This vulnerability specifically affects multi-site WordPress installations or those where the unfiltered_html setting is disabled. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator privileges to inject arbitrary JavaScript code into the website's pages. When other users visit these pages, the malicious scripts can execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of users. Because it is a stored XSS, the malicious code persists and affects all users accessing the compromised pages, increasing the risk and impact. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Fast Velocity Minify plugin version is 3.5.1 or earlier on a WordPress multi-site installation where unfiltered_html is disabled. Since the vulnerability involves stored Cross-Site Scripting via admin settings, detection involves verifying plugin version and configuration. There are no specific network commands provided to detect exploitation attempts. However, you can check the plugin version via WP-CLI with the command: `wp plugin get fast-velocity-minify --field=version`. Additionally, reviewing admin settings for suspicious injected scripts or monitoring logs for unauthorized AJAX requests lacking proper nonce verification could help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Fast Velocity Minify plugin to version 3.5.2 or later, which contains fixes for input validation, access control, and sanitization to prevent exploitation. Additionally, ensure that only trusted administrators have access to the WordPress admin interface, especially on multi-site installations with unfiltered_html disabled. Review and restrict permissions to prevent unauthorized script injections. Applying the update will enforce nonce verification on AJAX requests, sanitize inputs, block path traversal, and prevent SSRF attacks as detailed in the plugin's security enhancements. [1]