CVE-2025-12684

The URL Shortify WordPress plugin prior to version 1.11.3 contains a reflected cross-site scripting (XSS) vulnerability in one of its parameters. The plugin fails to sanitize and escape a user-controllable parameter before outputting it back in the page, leading to the execution of arbitrary JavaScript in the victim's browser [1].

To exploit this vulnerability, an attacker must trick a high-privilege user, such as an administrator, into clicking a crafted link that injects malicious script. Since the XSS is reflected, the attacker does not need authentication to trigger the payload, but the attack requires user interaction (e.g., a phishing campaign). The vulnerability is classified as High severity with a CVSS score of 7.1 [1].

Successful exploitation allows the attacker to perform actions within the context of the victim's session, which could include modifying plugin settings, creating new administrator accounts, or performing other administrative actions on the WordPress site. The impact is amplified because the intended target is high-privilege users [1].

The vulnerability was publicly disclosed and is fixed in version 1.11.3 of the URL Shortify plugin. Users are strongly advised to update to the latest patched release. No workarounds are mentioned in the advisory [1].