Description
The WP Carticon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carticon_js_script' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-11-04
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Update Plugin
AI Analysis

Impact

The vulnerability allows a stored XSS attack through the carticon_js_script parameter in WP Carticon. An authenticated user with administrator privileges can inject arbitrary JavaScript that will run whenever another user views the page. This can lead to session hijacking, defacement or execution of malicious code in the context of the victim's browser session.

Affected Systems

WordPress multisite installations running WP Carticon plugin version 1.0.0 or earlier where the unfiltered_html capability is disabled. Only sites that use the carticon_js_script setting are impacted.

Risk and Exploitability

The CVSS score of 4.4 indicates a moderate impact. The EPSS score of less than 1% shows a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires administrator clearance and an active WordPress multisite environment, making it a niche threat with limited scope.

Generated by OpenCVE AI on April 21, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Carticon plugin to the latest release that fixes the issue; if no newer version exists, uninstall the plugin.
  • Disable or remove the carticon_js_script parameter usage within the plugin code to block script injection.
  • Restrict WordPress administrator accounts to trusted personnel and monitor for anomalous script execution or injected content.

Generated by OpenCVE AI on April 21, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 04 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The WP Carticon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carticon_js_script' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title WP Carticon <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:22.102Z

Reserved: 2025-10-22T13:13:30.298Z

Link: CVE-2025-12065

cve-icon Vulnrichment

Updated: 2025-11-04T15:10:55.350Z

cve-icon NVD

Status : Deferred

Published: 2025-11-04T05:16:07.183

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses