CVE-2025-12484 - Vulnerability Details

- Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers <= 1.12.19 - Unauthenticated Stored Cross-Site Scripting

Description

The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1.12.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-11-19

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs because the plugin fails to sanitize or escape several social media username input fields, enabling an attacker to store malicious JavaScript. When a page renders these fields the untrusted code runs in the context of any site visitor. Attackers could steal session cookies, deface content, or direct users to phishing sites. The weakness is documented as CWE‑79.

Affected Systems

The affected product is the WordPress plugin Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers. All releases up to and including version 1.12.19 are vulnerable. No additional product versions have been listed as affected. Deployments must therefore verify the installed version and plan a remediation update.

Risk and Exploitability

The CVSS base score is 7.2, indicating a high impact and moderately complex exploitation. The EPSS score of less than 1 % shows that active exploitation is uncommon, and the defect is not in the CISA KEV catalog. Because the flaw is an unauthenticated stored XSS, an attacker only requires the ability to submit data through the exposed username fields; no other privilege or system access is necessary. If the site is publicly accessible, the risk can affect any visitor to the page that contains the injected content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

smub

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.12.19

No data.

Vendor	Product	Confidence	Versions
Rafflepress	Giveaways And Contests	—	—
Rafflepress	Giveaways And Contests By Rafflepress	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the RafflePress plugin to the latest version that removes the vulnerable input handling.
If an update cannot be applied immediately, disable or remove the affected social media username fields from the plugin configuration.
Implement a Web Application Firewall or add a Content Security Policy that blocks inline scripts to reduce the impact of any residual XSS payloads.

Generated by OpenCVE AI on April 21, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00408.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/entry.php#L110
https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L539
https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L543
https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L547
https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L551
https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L555
https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L559
https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L563
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3398188%40rafflepress&old=3346436%40rafflepress&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/7cda6aad-36e1-45c7-af46-a7b90bb2d339?source=cve

History

Thu, 20 Nov 2025 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rafflepress Rafflepress giveaways And Contests Rafflepress giveaways And Contests By Rafflepress Wordpress Wordpress wordpress
Vendors & Products		Rafflepress Rafflepress giveaways And Contests Rafflepress giveaways And Contests By Rafflepress Wordpress Wordpress wordpress

Wed, 19 Nov 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 19 Nov 2025 08:00:00 +0000

Type	Values Removed	Values Added
Description		The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1.12.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers <= 1.12.19 - Unauthenticated Stored Cross-Site Scripting
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/entry.php#L110 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L539 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L543 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L547 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L551 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L555 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L559 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L563 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3398188%40rafflepress&old=3346436%40rafflepress&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/7cda6aad-36e1-45c7-af46-a7b90bb2d339?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Rafflepress Giveaways And Contests Giveaways And Contests By Rafflepress

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-19T07:46:07.439Z

Updated: 2026-04-08T17:02:46.970Z

Reserved: 2025-10-29T19:11:25.942Z

Link: CVE-2025-12484

Vulnrichment

Updated: 2025-11-19T18:14:58.679Z

NVD

Status : Deferred

Published: 2025-11-19T08:15:51.367

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12484

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T18:15:36Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object