Description
The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'percentage' field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS for contributors and higher in the Canadian Nutrition Facts Label plugin
Action: Upgrade Plugin
AI Analysis

Impact

The plugin accepts the percentage value in a custom post type without sanitizing or escaping the input. This is a CWE-79 Stored Cross‑Site Scripting flaw. An authenticated user with Contributor level access can insert arbitrary JavaScript, which will be rendered and executed in the browser of any visitor who views that label. The flaw does not allow server‑side control or data exfiltration beyond what can be achieved from client‑side code.

Affected Systems

WordPress sites using the emaude Canadian Nutrition Facts Label plugin, version 3.0 and earlier.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate risk. An EPSS score of less than 1 % suggests a very low exploitation probability in the near term, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to have Contributor‑level or greater access to the site; no additional privileges are needed. Once a contributor injects a malicious payload, every user who visits the compromised label will receive the injected script.

Generated by OpenCVE AI on April 22, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Canadian Nutrition Facts Label plugin to a version newer than 3.0 that implements proper input sanitization.
  • Restrict the Contributor role’s ability to edit Nutrition Labels by adjusting role capabilities or reassignment to a role without those permissions.
  • Manually review and cleanse existing Nutrition Labels, removing or escaping any suspicious content in the percentage field.

Generated by OpenCVE AI on April 22, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Dec 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 08 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Dec 2025 06:00:00 +0000

Type Values Removed Values Added
Description The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'percentage' field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Canadian Nutrition Facts Label <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nutrition Label Custom Post Type
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:58.734Z

Reserved: 2025-11-04T20:32:13.980Z

Link: CVE-2025-12715

cve-icon Vulnrichment

Updated: 2025-12-08T21:16:54.205Z

cve-icon NVD

Status : Deferred

Published: 2025-12-06T06:15:50.397

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12715

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:00:07Z

Weaknesses