CVE-2025-12045
Description
The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the category and tag 'name' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Orbit Fox plugin up to 3.0.2 allows authenticated attackers with Author-level access to inject scripts via unsanitized category/tag names in post grid widgets.
Vulnerability
Details The vulnerability stems from insufficient input sanitization and output escaping for the category and tag 'name' parameters in the Orbit Fox plugin for WordPress. Specifically, in the renderMetaGridTags() method of the posts-grid.php file, tag names are output directly into visible label text and link title attributes without applying esc_html() or esc_attr() [1]. This enables injection of arbitrary HTML and JavaScript into pages where the Post Grid widget is used with meta display of tags.
Exploitation
Prerequisites An authenticated attacker with at least Author-level access can create or modify a tag containing a malicious payload, such as a double quote to break out of the title attribute context [1]. When the Post Grid widget's meta display is set to show tags, the crafted tag name is rendered and triggers on hover or page load, delivering the XSS payload to any user visiting the affected page. The official description cites Author-level minimum, though the proof-of-concept demonstrates exploitation from a Contributor role [1].
Impact
Successful exploitation allows the attacker to inject arbitrary web scripts that execute in the context of the victim's browser. This can lead to session token theft, privilege escalation to administrator-level access, and installation of backdoors, forming part of real-world exploit chains [1].
Mitigation
The vulnerability affects Orbit Fox Companion versions up to and including 3.0.2. Users are strongly advised to update to version 3.0.3 or later, which includes proper sanitization and escaping of tag names. As of the publication date, no public exploit code exists, but the proof-of-concept details are available [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Themeisle/Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & Morellm-createRange: <=3.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/themeisle-companion/trunk/obfx_modules/elementor-extra-widgets/widgets/elementor/posts-grid.phpnvd
- plugins.trac.wordpress.org/browser/themeisle-companion/trunk/obfx_modules/elementor-extra-widgets/widgets/elementor/posts-grid.phpnvd
- plugins.trac.wordpress.org/changeset/3388856/nvd
- research.cleantalk.org/cve-2025-12045/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/139a264b-082b-45db-ac9e-4974bf86c56fnvd
News mentions
0No linked articles in our index yet.