CVE-2025-12590
BaseFortify
Publication date: 2025-11-11
Last updated on: 2025-11-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | yslider | 1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the YSlider plugin for WordPress is a Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS). It occurs because the plugin lacks nonce verification on its content configuration page and does not properly sanitize or escape input and output. This allows an unauthenticated attacker to inject malicious scripts into pages by tricking an administrator into performing an action, such as clicking a link. The injected scripts then execute whenever a user accesses the affected page.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of the affected website. This can lead to unauthorized actions performed on behalf of users, theft of sensitive information such as cookies or session tokens, defacement of the website, or distribution of malware. Since the attack requires tricking an administrator, it can compromise administrative functions and potentially affect all users who visit the injected pages.