CVE-2025-12118
BaseFortify
Publication date: 2025-11-01
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | schema_scalpel | 1.6.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Schema Scalpel WordPress plugin is a Stored Cross-Site Scripting (XSS) issue that occurs via the post title in all versions up to and including 1.6.1. It happens because the plugin does not properly sanitize and escape user-supplied data when outputting it into JSON-LD schema markup. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript code into pages, which then executes whenever any user accesses the affected page. [3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with Contributor-level access to inject malicious scripts into your website's pages. These scripts can execute in the browsers of visitors to the infected pages, potentially leading to theft of user credentials, session hijacking, defacement, or other malicious actions that compromise site security and user trust. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your WordPress site is running the Schema Scalpel plugin version 1.6.1 or earlier and if it allows Contributor-level users or above to inject scripts via post titles that appear in JSON-LD schema markup. To detect exploitation attempts, you can monitor HTTP requests and responses for suspicious script tags or JSON-LD containing unexpected JavaScript code in page titles. Commands to help detect this include using curl or wget to fetch pages and grep for suspicious script injections, for example: 1) curl -s https://yourwordpresssite.com/page | grep '<script>' 2) grep -r --include='*.php' 'Schema_Scalpel' wp-content/plugins/ to verify plugin version and code. Additionally, reviewing user-submitted post titles for suspicious content can help detect attempts. However, no specific detection commands are provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Schema Scalpel plugin to a version that includes the fix for CVE-2025-12118, which sanitizes post titles and properly escapes JSON-LD output to prevent script injection. If an update is not immediately available, restrict Contributor-level and above users from submitting posts or titles until patched. Additionally, review and sanitize existing post titles to remove any malicious scripts. Applying the fix involves ensuring that post titles are sanitized using WordPress's sanitize_text_field() function and JSON encoding uses wp_json_encode() with appropriate flags, as implemented in the fix commit. Monitoring and limiting user permissions can also reduce risk. [3]