CVE-2025-12045
📋 TL;DR
This vulnerability allows authenticated WordPress users with Author-level permissions or higher to inject malicious scripts into category and tag names. When other users view pages containing these manipulated categories or tags, the scripts execute in their browsers. This affects all WordPress sites using the Orbit Fox plugin up to version 3.0.2.
💻 Affected Systems
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More (WordPress plugin)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, deface websites, or install backdoors for persistent access.
Likely Case
Attackers with author access inject malicious scripts that steal user session cookies or redirect users to phishing pages.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, and only authorized users can modify content.
🎯 Exploit Status
Exploitation requires authenticated access (Author role or higher). The vulnerability is in publicly visible code, making exploitation straightforward for attackers with valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3388856/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Orbit Fox' and click 'Update Now'. 4. Verify the plugin version is 3.0.3 or higher.
🔧 Temporary Workarounds
Disable Orbit Fox Plugin
linuxTemporarily disable the vulnerable plugin until patching is possible.
wp plugin deactivate themeisle-companion
Restrict User Permissions
allLimit users to Subscriber or Contributor roles to prevent exploitation.
🧯 If You Can't Patch
- Remove Author-level permissions from untrusted users.
- Implement a Web Application Firewall (WAF) with XSS protection rules.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Orbit Fox version 3.0.2 or lower.Check Version:
wp plugin get themeisle-companion --field=versionVerify Fix Applied:
Confirm Orbit Fox plugin version is 3.0.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to category/tag names containing script tags in WordPress logs.
- Multiple failed login attempts followed by successful author-level login.
Network Indicators:
- HTTP requests containing malicious script payloads in category/tag parameters.
- Outbound connections to suspicious domains from WordPress site.
SIEM Query:
source="wordpress.log" AND ("category" OR "tag") AND ("<script>" OR "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/obfx_modules/elementor-extra-widgets/widgets/elementor/posts-grid.php#L1878
- https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/obfx_modules/elementor-extra-widgets/widgets/elementor/posts-grid.php#L1912
- https://plugins.trac.wordpress.org/changeset/3388856/
- https://research.cleantalk.org/cve-2025-12045/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/139a264b-082b-45db-ac9e-4974bf86c56f?source=cve
