CVE-2025-12417
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | surveyfunnel_lite | 1.1.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the SurveyFunnel β Survey Plugin for WordPress. It occurs because the plugin does not properly sanitize or escape user-supplied input in the 'surveyfunnel_lite_survey' shortcode. Authenticated users with contributor-level access or higher can inject malicious scripts that will execute whenever any user views the affected page.
How can this vulnerability impact me? :
The vulnerability allows attackers with contributor-level access to inject malicious scripts into pages, which can execute in the browsers of users who visit those pages. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed on behalf of the victim user.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with contributor-level access to inject arbitrary web scripts via stored cross-site scripting (XSS). This can lead to unauthorized script execution when users access affected pages, potentially exposing user data or session information. Such exposure or unauthorized access to personal or sensitive data could lead to non-compliance with data protection regulations like GDPR or HIPAA, which require safeguarding user data against unauthorized access and ensuring data integrity. Therefore, this vulnerability poses a risk to compliance with these standards by potentially enabling data breaches or unauthorized data manipulation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable shortcode '[surveyfunnel_lite_survey]' in WordPress posts or pages, especially if the SurveyFunnel Lite plugin version is 1.1.5 or earlier. Since the vulnerability involves stored cross-site scripting via user-supplied shortcode attributes, detection involves inspecting content for injected scripts within these shortcode attributes. There are no specific commands provided in the resources, but manual inspection or scanning for the shortcode usage and suspicious script tags in the content can help detect exploitation. Additionally, reviewing plugin version and source code for lack of proper input sanitization and output escaping can assist in detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the SurveyFunnel Lite plugin to a version later than 1.1.5 where the vulnerability is fixed. 2) If an update is not immediately available, restrict contributor-level and above users from adding or editing content with the vulnerable shortcode to prevent injection. 3) Implement proper input sanitization and output escaping for shortcode attributes, following WordPress security best practices such as those detailed in the WordPress escaping guide (e.g., using esc_html(), esc_attr(), wp_kses()). 4) Monitor and remove any injected malicious scripts found in existing content. 5) Consider disabling the shortcode temporarily if possible until a patch is applied. [1, 2]