CVE-2025-12631 - Vulnerability Details

- Squirrels Auto Inventory <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Description

The Squirrels Auto Inventory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Published: 2025-11-11

Score: 4.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Squirrels Auto Inventory plugin for WordPress contains a stored XSS flaw in administration settings across all versions up to 1.0.3. When an authenticated user with administrator privileges or higher alters these settings, unsanitized input can be stored and later rendered within pages. The stored script executes in the browsers of any user who views an affected page, allowing the attacker to steal cookies, hijack sessions, or inject malicious content without the user’s knowledge.

Affected Systems

The vulnerability affects installations of the Squirrels Auto Inventory plugin, version 1.0.3 and earlier, on multi‑site WordPress environments where the unfiltered_html feature is disabled. All users who have the ability to access the plugin’s admin settings can exploit the flaw, and the impact is realized on other site visitors who view pages containing the injected content.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity, and the EPSS score of less than 1% shows a low probability of exploitation as of the latest data. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires administrator credentials, so the the attack surface is limited to privileged users. Once the stored payload is present, however, it can affect any visitor to the injected page.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

spokanetony

Squirrels Auto Inventory

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0.3

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Squirrels Auto Inventory plugin to a version newer than 1.0.3.
If an update is not immediately possible, restrict administrator access or temporarily disable the plugin until a patched version is available.
Configure a web application firewall or use a security plugin to block known XSS payloads on the affected pages.

Generated by OpenCVE AI on April 21, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://wordpress.org/plugins/squirrels-auto-inventory/
https://www.wordfence.com/threat-intel/vulnerabilities/id/9f93ee42-c21d-47cf-b140-65809da75653?source=cve

History

Wed, 12 Nov 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 12 Nov 2025 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type	Values Removed	Values Added
Description		The Squirrels Auto Inventory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title		Squirrels Auto Inventory <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses		CWE-79
References		https://wordpress.org/plugins/squirrels-auto-inventory/ https://www.wordfence.com/threat-intel/vulnerabilities/id/9f93ee42-c21d-47cf-b140-65809da75653?source=cve
Metrics		cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-11T03:30:47.001Z

Updated: 2026-04-08T17:12:02.542Z

Reserved: 2025-11-03T14:39:15.330Z

Link: CVE-2025-12631

Vulnrichment

Updated: 2025-11-12T15:12:19.739Z

NVD

Status : Deferred

Published: 2025-11-11T04:15:47.557

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12631

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object