CVE-2025-12017 - Vulnerability Details

- VNPAY for Woocommerce <= 1.0.0 - Reflected Cross-Site Scripting

Description

The VNPAY Payment gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Published: 2025-10-24

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The VNPAY Payment gateway plugin for WordPress is vulnerable to a reflected cross‑site scripting flaw that arises from insufficient input sanitization and output escaping applied to the 'message' parameter. An unauthenticated attacker can craft a malicious URL containing JavaScript payloads; when a victim clicks the link, the payload is reflected back and executed in the victim’s browser. This enables the attacker to run arbitrary client‑side code, which can be used for session hijacking, data theft, or defacement.

Affected Systems

The vulnerability affects all versions of the VNPAY Payment gateway for Woocommerce released by teyldoan up to and including version 1.0.0. No later releases are covered by the description.

Risk and Exploitability

The flaw carries a CVSS score of 6.1, indicating moderate severity, and an EPSS score of less than 1 %, implying a very low exploitation probability under current conditions. It is not listed in the CISA KEV catalog. The attack requires no authentication but does require a victim to visit a crafted link—making it a user interaction‑based, reflected XSS vector that can be executed in any browser that renders the vulnerable page.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

teyldoan

VNPAY Payment gateway

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0.0

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the VNPAY Payment gateway plugin to the latest version that fixes the XSS flaw.
If an upgrade is not immediately possible, reconfigure or disable the feature that reflects the 'message' parameter so that it is no longer echoed in the page output.
Deploy a web application firewall or security plugin that blocks reflected XSS attacks and monitor logs for suspicious payloads in the 'message' parameter.
Implement a Content Security Policy that restricts the execution of inline scripts to reduce the risk if a payload does reach the browser.

Generated by OpenCVE AI on April 21, 2026 at 02:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00106.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.svn.wordpress.org/vnpay-for-woocommerce/trunk/src/shortcodes/Thankyou.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/b901f593-3691-4ea1-8ab6-1ddd68fa2e36?source=cve

History

Mon, 27 Oct 2025 22:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Fri, 24 Oct 2025 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Oct 2025 08:30:00 +0000

Type	Values Removed	Values Added
Description		The VNPAY Payment gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title		VNPAY for Woocommerce <= 1.0.0 - Reflected Cross-Site Scripting
Weaknesses		CWE-79
References		https://plugins.svn.wordpress.org/vnpay-for-woocommerce/trunk/src/shortcodes/Thankyou.php https://www.wordfence.com/threat-intel/vulnerabilities/id/b901f593-3691-4ea1-8ab6-1ddd68fa2e36?source=cve
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-10-24T08:24:04.143Z

Updated: 2026-04-08T17:17:55.328Z

Reserved: 2025-10-21T13:55:27.993Z

Link: CVE-2025-12017

Vulnrichment

Updated: 2025-10-24T12:10:43.520Z

NVD

Status : Deferred

Published: 2025-10-24T09:15:44.183

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12017

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T02:15:06Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object