Fast Velocity Minify < 3.5.2 – Authenticated (Admin+) Stored Cross-Site Scripting | CVE 2025-12034 | Plugin Vulnerabilities

Description

The Fast Velocity Minify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

fast-velocity-minify

Fixed in 3.5.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1c02e03a-7f96-4efa-9071-4a76fb21900d

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Cody Sixteen

Verified

No

WPVDB ID

fd3cd41c-e1fb-4bac-b461-8c0dc3226480

Timeline

Publicly Published

2025-10-24 (about 8 months ago)

Added

2025-10-24 (about 7 months ago)

Last Updated

2025-10-25 (about 7 months ago)

Other

Published

Title

Published

2021-09-08

Title

More From Google <= 0.0.2 - Reflected Cross-Site Scripting

Published

2024-10-07

Title

Royal Elementor Addons and Templates < 1.3.987 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Member Widget

Published

2025-01-16

Title

Custom Users Order <= 4.2 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

All in One SEO Pack <= 2.1.5 - aioseop_functions.php new_meta Parameter XSS

Published

2015-05-12

Title

Adsense Click Fraud Monitoring <= 1.7.5 - XSS