Stored Cross-Site Scripting Vulnerability in Nari Accountant Plugin for WordPress
CVE-2025-12371

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Nari Accountant
Vendor: CVE Published:; 4 November 2025

What is CVE-2025-12371?

The Nari Accountant plugin for WordPress is susceptible to a stored Cross-Site Scripting (XSS) vulnerability due to inadequate input validation and output escaping. This issue impacts all versions up to and including 1.0.12 and is particularly concerning for multi-site setups and configurations where unfiltered HTML is disabled. Authenticated attackers with editor-level privileges can exploit this vulnerability to inject malicious scripts into pages that execute when accessed by unsuspecting users.

Affected Version(s)

Nari Accountant * <= 1.0.12

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/nari-accountant/

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 4, 2025
Vulnerability Reserved
Oct 27, 2025

Credit

Ivan Cese

JSON