Overview
CVE-2025-12715 details a Stored Cross-Site Scripting (XSS) vulnerability affecting the Canadian Nutrition Facts Label plugin for WordPress. This vulnerability exists in versions up to and including 3.0. Successful exploitation allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into the website’s database. This injected code executes when other users, including administrators, view the affected pages containing the nutrition labels.
Technical Details
The vulnerability resides within the ‘percentage’ field of the Nutrition Label custom post type. The plugin fails to properly sanitize user-supplied input for this field and doesn’t adequately escape output when rendering the nutrition label on a page. This allows an attacker to insert arbitrary HTML and JavaScript code into the ‘percentage’ field. When a user views a page displaying a nutrition label containing the malicious code, the injected script will execute in their browser, potentially leading to account compromise or other malicious activities.
The vulnerable code can be found (potentially among other places) at the specified reference link, where input from the ‘percentage’ field is used without proper sanitization before being displayed:
<?php
// Example simplified snippet - Check actual code at reference URL
echo ' <span class="nutrition-percentage">' . $_POST['percentage'] . '% </span>';
?>
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12715 is 6.4 (Medium).
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality Impact (C): Low (L)
- Integrity Impact (I): Low (L)
- Availability Impact (A): Low (L)
This score indicates that the vulnerability is relatively easy to exploit over the network, requires user interaction, and can impact the confidentiality, integrity, and availability of the affected system. The “Changed” scope is particularly important, highlighting that the XSS can affect elements beyond just the plugin itself.
Possible Impact
Successful exploitation of this vulnerability can lead to various malicious outcomes, including:
- Account Takeover: An attacker can potentially steal user session cookies, leading to account compromise.
- Malware Distribution: The injected script can redirect users to malicious websites hosting malware.
- Defacement: An attacker can modify the content of the affected pages, defacing the website.
- Data Theft: Sensitive data displayed on the affected pages may be stolen.
- Phishing Attacks: The injected script can be used to display phishing forms to trick users into providing their credentials.
Mitigation and Patch Steps
The recommended mitigation steps are:
- Update the Plugin: Upgrade the Canadian Nutrition Facts Label plugin to the latest version, if a version higher than 3.0 exists and addresses the vulnerability. Check the plugin developer’s website for updates.
- Disable the Plugin: If an update is not available, temporarily disable the plugin until a patched version is released.
- Web Application Firewall (WAF): Implement a Web Application Firewall (WAF) with rules to detect and block XSS attacks.
- Input Sanitization: Review and sanitize all user-supplied input, especially within the ‘percentage’ field of the Nutrition Label custom post type.
- Output Escaping: Ensure proper output escaping is implemented when rendering the nutrition label on a page to prevent the execution of malicious code.
- Principle of Least Privilege: Limit user access to the WordPress dashboard. Avoid giving Contributor access to untrusted individuals.
References
Canadian Nutrition Facts Label Plugin Code (Version 3.0)
Wordfence Vulnerability Report – CVE-2025-12715