CVE-2025-12034

Vulnerability

Overview

The Fast Velocity Minify plugin for WordPress, in all versions up to and including 3.5.1, contains a Stored Cross-Site Scripting (XSS) vulnerability in its admin settings. The root cause is insufficient input sanitization and output escaping, which allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts. This vulnerability only affects multi-site installations and installations where the unfiltered_html capability has been disabled [1].

Exploitation

Conditions

An attacker must have administrator-level access to the WordPress admin panel. The attack vector involves injecting malicious script code into plugin settings that are later displayed to other users. The vulnerability is limited to environments where unfiltered_html is disabled (which is the default on multisite networks) or on multisite installations specifically. The attacker does not need any special network position beyond authenticated admin access [1].

Impact

Successful exploitation allows the attacker to inject arbitrary web scripts that execute whenever a user accesses an affected page. This can lead to session hijacking, defacement, or redirection to malicious sites. The stored nature of the XSS means the payload persists and affects all subsequent visitors to the compromised admin page [1].

Mitigation

The vulnerability has been patched in commit 55a8b53a2ec6d358f8d7ad181170b9d8112e78ab, which adds input validation and output escaping improvements. Users should update to version 3.5.2 or later. No workaround is available other than restricting admin access or disabling the plugin until updated [1].