Reflected Cross Site Scripting in URL Shortify WordPress Plugin
CVE-2025-12684

7.1HIGH

Key Information:

Vendor: WordPress
Status: Url Shortify
Vendor: CVE Published:; 15 December 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-12684?

The URL Shortify plugin for WordPress is vulnerable to reflected cross site scripting due to insufficient sanitization and escaping of a user-supplied parameter before it is returned in the page output. This oversight can be exploited by attackers, particularly against high-privilege users like administrators, enabling unauthorized actions and potential compromise of sensitive information.

Affected Version(s)

URL Shortify 0 < 1.11.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-12684 - Proof of Concept

References

https://wpscan.com/vulnerability/8f1e04c6-8781-4366-99d9-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 15, 2025
👾
Exploit known to exist
Dec 15, 2025
Vulnerability published
Dec 15, 2025
Vulnerability Reserved
Nov 4, 2025

Credit

Nguyễn Đức Toàn

WPScan

JSON