Overview
A high-severity stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-12135, has been discovered in the WPBookit plugin for WordPress. This vulnerability affects all versions up to and including 1.0.6. It allows unauthenticated attackers to inject malicious JavaScript code into pages that will be executed when other users access those pages, potentially leading to account compromise, data theft, or website defacement. This issue stems from a missing capability check within the `save_custome_code()` function.
Technical Details
The vulnerability resides in the way the WPBookit plugin handles custom CSS code input. The `save_custome_code()` function, responsible for saving the CSS code provided by the user, lacks proper authorization checks. Specifically, it does not verify if the user performing the action has the necessary capabilities to modify plugin settings. This allows unauthenticated users to call the `save_custome_code()` function by calling the rest endpoint, injecting arbitrary JavaScript code through the ‘css_code’ parameter.
The following files are involved:
- `core/admin/classes/class.wpb-admin-routes-handler.php`
- `core/admin/classes/class.wpb-admin-routes.php`
- `core/admin/classes/controllers/class.wpb-setting-controller.php`
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12135 is 7.2 (HIGH). This score reflects the following factors:
- Attack Vector (AV): Network (N) – The vulnerability can be exploited over the network.
- Attack Complexity (AC): Low (L) – The attack requires minimal effort and expertise.
- Privileges Required (PR): None (N) – No privileges are required to exploit the vulnerability.
- User Interaction (UI): Required (R) – The vulnerability requires user interaction to be exploited. A user must visit the injected page.
- Scope (S): Changed (C) – An exploited vulnerability can affect resources beyond the security scope managed by the security authority.
- Confidentiality Impact (C): Low (L) – There is limited disclosure of information assets.
- Integrity Impact (I): Low (L) – There is limited modification of information assets.
- Availability Impact (A): Low (L) – There is limited disruption of resources.
Possible Impact
Successful exploitation of this vulnerability could lead to:
- Account Takeover: Attackers can steal administrator cookies or credentials, gaining complete control over the WordPress site.
- Data Theft: Sensitive data, such as user information or financial details, could be compromised.
- Website Defacement: Attackers can modify the website’s content, redirect users to malicious sites, or inject spam.
- Malware Distribution: The injected JavaScript code could be used to distribute malware to website visitors.
Mitigation or Patch Steps
The recommended mitigation is to update the WPBookit plugin to the latest available version, which should include a fix for this vulnerability. If an update is not yet available, consider temporarily disabling the plugin until a patch is released.
Here are some general security best practices to help protect your WordPress site:
- Keep all plugins and themes up to date.
- Use strong, unique passwords for all user accounts.
- Implement a web application firewall (WAF).
- Regularly scan your website for malware and vulnerabilities.
