Cybersecurity Vulnerabilities

Critical Security Alert: XSS Vulnerability Found in WP Delete Post Copies Plugin (CVE-2025-12066)

November 21, 2025 - By 

Overview

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the WP Delete Post Copies plugin for WordPress, tracked as CVE-2025-12066. This vulnerability affects versions up to and including 6.0.2. Successful exploitation could allow attackers with administrator-level permissions to inject malicious JavaScript code into the WordPress site, potentially compromising user accounts and data.

Technical Details

The vulnerability exists due to insufficient input sanitization and output escaping of admin settings within the plugin. Specifically, authenticated attackers with administrator privileges (or higher) can inject arbitrary web scripts through the plugin’s settings. When a user accesses a page containing the injected script, the script will execute in their browser. This can lead to session hijacking, defacement, or other malicious activities.

This vulnerability is only exploitable on multi-site installations and single-site installations where the unfiltered_html capability is disabled. Disabling unfiltered_html is a recommended security practice, making this a more widespread concern.

CVSS Analysis

  • CVE ID: CVE-2025-12066
  • Severity: MEDIUM
  • CVSS Score: 4.4
  • CVSS Vector: (Not provided – calculate based on specification)

A CVSS score of 4.4 indicates a medium severity vulnerability. While exploitation requires administrator-level access, the potential impact of successful exploitation can be significant, impacting the confidentiality, integrity, and availability of the WordPress site.

Possible Impact

Successful exploitation of this XSS vulnerability could have the following consequences:

  • Account Compromise: Attackers can steal administrator or other user session cookies, gaining unauthorized access to accounts.
  • Website Defacement: Malicious scripts can modify the website’s appearance or content.
  • Malware Distribution: The injected script can redirect users to malicious websites or initiate malware downloads.
  • Data Theft: Sensitive data stored within the WordPress site could be accessed and exfiltrated.

Mitigation and Patch Steps

The recommended mitigation is to update the WP Delete Post Copies plugin to the latest version. The vulnerability has been patched in versions released after 6.0.2. Follow these steps:

  1. Log in to your WordPress administration dashboard.
  2. Navigate to the “Plugins” section.
  3. Locate the “WP Delete Post Copies” plugin.
  4. If an update is available, click the “Update Now” button.
  5. Verify that the plugin is now running the patched version.

If you are unable to update the plugin immediately, consider temporarily deactivating it until the update can be applied.

References

WordPress Plugins Trac Changeset
Wordfence Threat Intelligence Report

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *