CVE-2025-12935
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts via the FluentCRM plugin's shortcode. The scripts are stored and execute whenever other users view affected pages, enabling session hijacking, defacement, or malware distribution. All WordPress sites using FluentCRM versions up to 2.9.84 are affected.
💻 Affected Systems
- FluentCRM - Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator credentials, take over the WordPress site, install backdoors, or redirect visitors to malicious sites, potentially compromising the entire server if WordPress has high privileges.
Likely Case
Attackers deface pages, inject cryptocurrency miners, steal user session cookies, or redirect users to phishing pages, causing reputation damage and potential data theft.
If Mitigated
With proper user role management and content review, impact is limited to minor defacement or script injection that can be quickly cleaned if detected early.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via WordPress editor. No public exploit code found yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.85 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3399640/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find FluentCRM plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.9.85+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Remove Contributor Posting Capabilities
allTemporarily restrict contributor-level users from creating or editing posts/pages to prevent exploitation.
wp user remove-role <username> contributor
wp user add-role <username> subscriber
Disable FluentCRM Shortcode
allRemove or disable the vulnerable 'fluentcrm_content' shortcode functionality.
add_filter('fluentcrm_shortcodes', '__return_empty_array'); // Add to theme functions.php
🧯 If You Can't Patch
- Restrict user roles to only trusted administrators for content creation.
- Implement web application firewall (WAF) rules to block XSS payloads in post content.
🔍 How to Verify
Check if Vulnerable:
Check FluentCRM plugin version in WordPress admin under Plugins > Installed Plugins. If version is 2.9.84 or lower, you are vulnerable.Check Version:
wp plugin get fluent-crm --field=versionVerify Fix Applied:
After updating, verify FluentCRM version shows 2.9.85 or higher in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual post/page edits by contributor-level users
- HTML/JavaScript patterns in post_content containing 'fluentcrm_content' shortcode with script tags
Network Indicators:
- Unexpected external script loads from WordPress pages
- Suspicious redirects from legitimate pages
SIEM Query:
source="wordpress.log" AND ("fluentcrm_content" NEAR "script") OR ("post_modified" BY contributor_user)🔗 References
- https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.84/app/Hooks/Handlers/PrefFormHandler.php#L175
- https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.84/app/Hooks/actions.php#L172
- https://plugins.trac.wordpress.org/changeset/3399640/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7129e5cb-ce70-477a-a8f1-3acf152dfc21?source=cve
