Reflected Cross-Site Scripting Vulnerability in Attachments Handler for WordPress
CVE-2025-12581

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Attachments Handler
Vendor: CVE Published:; 20 December 2025

What is CVE-2025-12581?

The Attachments Handler plugin for WordPress is susceptible to Reflected Cross-Site Scripting (XSS), which arises from inadequate input sanitization and output escaping practices. This vulnerability allows unauthenticated users to inject malicious scripts into pages, potentially manipulating users into executing these scripts by clicking on compromised links. It is crucial for users running this plugin on their WordPress sites to apply security patches or updates to safeguard against potential exploitation.

Affected Version(s)

Attachments Handler * <= 1.1.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/attachments-ha...

https://wordpress.org/plugins/attachments-handler/

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 20, 2025
Vulnerability Reserved
Oct 31, 2025

Credit

JohSka

JSON