Orbit Fox Companion < 3.0.3 – Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy | CVE 2025-12045 | Plugin Vulnerabilities

Description

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the category and tag 'name' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

themeisle-companion

Fixed in 3.0.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/139a264b-082b-45db-ac9e-4974bf86c56f

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

ace553f8-9213-4ef1-a261-f25112dc8b1a

Timeline

Publicly Published

2025-11-03 (about 5 months ago)

Added

2025-11-03 (about 5 months ago)

Last Updated

2025-11-04 (about 5 months ago)

Other

Published

Title

Published

2022-10-28

Title

Slideshow SE < 2.5.6 - Subscriber+ Stored XSS

Published

2024-08-12

Title

Flaming Forms <= 1.0.1 - Unauthenticated Stored XSS

Published

2024-08-09

Title

Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) < 3.3.3 - Authenticated (Admin+) Stored Cross-Site Scripting via Agreement Text

Published

2016-01-26

Title

WP Easy Gallery <= 4.1.4 - Reflected Cross-Site Scripting (XSS)

Published

2024-06-27

Title

WP-Lister Lite for Amazon < 2.6.17 - Reflected Cross-Site Scripting