Description
The Fast Velocity Minify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-10-25
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting by authenticated administrators
Action: Patch
AI Analysis

Impact

The Fast Velocity Minify plugin for WordPress contains a stored Cross‑Site Scripting (CWE‑79) vulnerability caused by insufficient input sanitization and output escaping in its admin settings. When an administrator injects malicious JavaScript, it is permanently stored and executes automatically whenever a user accesses a page that includes the injected setting. Attackers must first have administrator‑level or higher credentials to inject the code, and the flaw exists in all versions up to and including 3.5.1.

Affected Systems

All WordPress installations that run Fast Velocity Minify version 3.5.1 or earlier are affected. The vulnerability applies only to multi‑site networks or installations where the unfiltered_html capability has been disabled. Only administrators can insert the malicious payload, but all visitors to a page that renders the plugin’s settings are exposed to the injected script.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity, while the EPSS score of less than 1 % suggests a relatively low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is authenticated exploitation through the plugin’s admin settings, and the injected script will run on every user who visits an affected page. The flaw does not provide system‑wide compromise beyond the pages rendered by the plugin.

Generated by OpenCVE AI on April 27, 2026 at 23:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fast Velocity Minify to a version that includes the stored XSS fix.
  • If an update is not available, temporarily disable or delete the plugin on all sites to eliminate the attack surface.
  • If disabling is not feasible, restrict access to the plugin’s admin settings to trusted administrators only and review existing settings for any injected code, removing any suspicious scripts before they are rendered to other users.

Generated by OpenCVE AI on April 27, 2026 at 23:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Fast Velocity Minify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Fast Velocity Minify <= 3.5.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:38:23.899Z

Reserved: 2025-10-21T17:36:37.692Z

Link: CVE-2025-12034

cve-icon Vulnrichment

Updated: 2025-10-27T15:54:44.079Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T07:15:40.930

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:45:15Z

Weaknesses